Data Breaches

Data breach archive (2012-2018​)

2019 Data Breaches​

October 2019

Date Public NotifiedDate of BreachCompanyData Stolen

August 19, 2019

June 26 - 28, 2019

Cornerstone, Inc.

Name, address, Social Security number, date of birth, driver’s license information, and telephone number.

Who's AffectedDetails

Unknown number of affected individuals including an unknown number of Wisconsin residents.

​​​On or around July 9, 2019, Cornerstone learned that an unauthorized third party may have obtained a Cornerstone applicant’s online rental application, which contained that individual’s personal information. Cornerstone conducted an investigation and cannot rule out that an unauthorized actor may have gained access to the database which stores rental applications.

Cornerstone has identified which individuals’ information may have been affected by any potential unauthorized access and notification letters have been sent.

Cornerstone is offering potentially affected tenants and applicants complimentary credit monitoring and identity protection services for at least one year through TransUnion®.

If you have questions concerning this incident, the Cornerstone response line can be contacted at 855-683-4611, Monday through Friday, 8:00 a.m. to 8:00 p.m. Central Time. More information can also be found at https://www.rentatcornerstone.com/documents/cornerstone-data-security-2019-08-18.pdf.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@wi.gov.

September 2019

Date Public Notified Date of Breach Company Data Stolen

September 12, 2019

September 2-12, 2019

Zynga Inc.

Name, email address, and account login information for certain players of Draw Something adn Words With Friends which may include passwords

Who's Affected Details

Approximately 200 million affected individuals includnig an unknown number of Wisconsin residents

​​​On September 12, 2019, Zynga Inc. announced they recently discovered that certain player account information may have been illegally accessed by outside hackers.

Zynga has taken steps to protect certain players’ accounts from invalid logins, including but not limited to where they believe that passwords may have been accessed. Zynga has begun the process of sending individual notices to players.​

If you feel you are a victim of identity theft as a result of this breach, co​ntact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@wi.gov.​



 


 

Date Public Notified Date of Breach Company Data Stolen

September 26, 2019

May 4, 2019

DoorDash

Name, email address, delivery address, order history, phone number, as well as hashed & salted passwords.

For some consumers, the last four digits of consumer payment cards.

For some Dashers and merchants, the last four digits of their bank account number.

For approximately 100,000 Dashers, their driver’s license numbers were also accessed.​

Who's Affected Details

4.9 million consumers, Dashers, and merchants were affected including an unknown number of Wisconsin residents.

​​​DoorDash announced that earlier in September they became aware of unusual activity involving a third-party service provider. DoorDash launched an investigation and were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.

Consumers, Dashers, and merchants who joined on or before April 5, 2018, are affected. Users who joined after April 5, 2018 are not affected.

DoorDash can be contacted at 855-646-4683 for 24/7 suppport

If you feel you are a victim of identity theft as a result of this breach, co​ntact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@wi.gov.​


 


 

Date Public Notified Date of Breach Company Data Stolen

September 19, 2019

February 19, 2019

CafePress, Inc.

Names, email addresses, and CafePress account passwords. For less than 1% of the affected individuals, the information also included Social Security Numbers or Tax Identification Numbers.

Who's Affected Details

Approximately 23 million affected individuals including an unknown number of Wisconsin residents.

CafePress has reported they have recently discovered that an unidentified third party obtained customer information, without authorization, that was contained in a CafePress database on or about February 19, 2019.

For CafePress account holders, it is recommended by CafePress to log in to your online account which should prompt you to change your account password.

CafePress can be contacted at: 1-844-386-9557 Monday–Friday from 9:00 a.m. to 9:00 p.m. ET or Saturday–Sunday from 11:00 a.m. to 8:00 p.m. ET.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


August 2019​

Date Public Notified Date of Breach Company Data Stolen

August 14, 2019

December 14, 2018 to July 29, 2019

Hy-Vee, Inc.

Payment card: number, expiration date, and internal verification code

Who's Affected Details

Unknown number of affected individuals including an unknown number of Wisconsin residents.

On July 29, 2019, Hy-Vee Inc. detected unauthorized activity on some of their payment processing systems. Hy-Vee conducted an investigation and found malware designed to access payment card data from cards used on point-of-sale (“POS”) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants.

The general timeframe when data from cards used at Hy-Vee locations may have been accessed is December 14, 2018, to July 29, 2019 for fuel pumps and January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops.

Specific Wisconsin Hy-Vee locations and timeframes related to this incident:

Market Grille, 3801 E. Washington​, Madison, WI 53704  
January 15, 2019 - June 30, 2019

Market Grille, 675 S. Whitney Way, Madison, WI 53711
January 15, 2019 - July 17, 2019

Hy-Vee can be contacted at (833) 967-1091 Monday through Friday between 8:00 a.m. and 8:00 p.m. CT.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


​Date Public Notified Date of Breach Company Data Stolen

August 3, 2019

May 14, 2019

StockX LLC

Name, email address, username, hashed password, address and purchase history.

Who's Affected Details

Unknown number of affected individuals including an unknown number of Wisconsin residents.

On July 26, 2019, StockX was alerted to suspicious activity potentially involving customer data. StockX launched a forensic investigation and learned an unknown third party gained unauthorized access to certain customer data on or around May 14, 2019. StockX deployed a system-wide update and implemented a full password reset of all customer passwords.

On August 3, 2019, StockX notified affected customers by email and a letter was mailed out on August 8 as a follow up to the email.

StockX is offering 12 months of fraud detection and identity theft protection from ID Experts®. StockX or ID Experts® can be contacted at (833) 300-6935 (US), +1-971-317-8411 (International), or https://ide.myidcare.c​om/stockx

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


July 2019

Date Public Notified Date of Breach Company Data Stolen

July 19, 2019

March 22-23, 2019

Capital One

Name, date of birth, address, zip code, phone number, email address, credit score, credit limits, account balances, payment history, and self-reported income. In some cases Social Security number and bank account number was accessed.

Who's Affected Details

Approximately 100 million total affected individuals.

Including 140,000 individuals whose Social Security numbers were affected.

Including approximately 80,000 individuals whose bank account numbers were affected.

It is unknown how many Wisconsin residents are affected.

On July 19, 2019 Capital One announced that there was unauthorized access of its systems by an outside individual. The vulnerability was reported to the company by an external security researcher on July 17.

Capital One immediately fixed the issue and promptly began working with federal law enforcement. Capital One is reporting that The largest category of information accessed was information on consumers and small businesses as of the time they applied for a Capital One credit card product from 2005 through early 2019.

Capital One is notifying affected individuals by mail and is offering free credit monitoring and identity protection to everyone affected.

More information can be found at ​https://www.capitalone.com/facts2019/ or Capital One can be reached at 1-800-227-4825.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


June 2019

Date Public Notified Date of Breach Company Data Stolen

June 21, 2019

August 25, 2010

Dominion National

Name, Social Security number, date of birth, bank account number, bank routing number, address, email address, member ID number, group number, and subscriber number.

Who's Affected Details

Approximately 3.2 Million affected individuals including 2,964 Wisconsin residents.

On April 24, 2019, Dominion National determined that an unauthorized party may have accessed some of their computer servers. The data stored or potentially accessible from those computer servers may include enrollment and demographic information for current and former members of Dominion National and Avalon vision, and current and former members of plans Dominion National provides administrative services for.

Dominion National began notifying the potentially affected individuals on June 21, 2019. Additional information is available at www.DominionNationalFacts.com or by calling Dominion National’s incident response line at 877-503-8923 or 844-261-6819 (TTY/TDD). The incident response line is open Monday through Friday, 8:00 a.m. to 8:00 p.m. EST.

Dominion National is offering a two-year membership to ID Experts® MyIDCare™, which includes credit monitoring and fraud protection services, for any potentially affected individual.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

June 7, 2019

April 2, 2019

TenX Systems, LLC d/b/a ResiDex Software

Social Security numbers and medical records.

Who's Affected Details

Unknown number of affected individuals including 1,296 Wisconsin residents.

On April 9, 2019, ResiDex became aware of a data security incident, including ransomware, which impacted its server infrastructure and took its systems offline. The data security incident may have resulted in unauthorized access to protected health information, including medical records that existed on ResiDex’s software as of April 9, 2019​.

ResiDex provides software for Presbyterian Homes and Services, which has 1,296 current WI residents. ResiDex began notifying potentially impacted individuals via written notice beginning on June 7, 2019.

ResiDex is providing free membership to TransUnion, myTrueIdentity, credit monitoring service to affected individuals.

ResiDex can be contacted with questions at 877-347-0184 or 866-512-8369 between 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


May 2019

Date Public Notified Date of Breach Company Data Stolen

May 24, 2019

October 15, 2018 through December 21, 2018

OS, Inc. on behalf of: Sauk Prairie Healthcare, Fort HealthCare, Inc., and Columbus Community Hospital.

Name, Social Security number (in the form of insurance identification numbers), hospital account number, name of insurer, summary of charges, and category of service.

Who's Affected Details

Unknown number of affected individuals including an unknown number of Wisconsin residents.

OS, Inc. an organization which provides claims management services to certain healthcare providers (among which is Sauk Prairie Healthcare, Fort HealthCare, Inc., and Columbus Community Hospital), announced that a phishing email campaign may have resulted in unauthorized access to personal information contained within an OS employee’s email account. On April 8, 2019, OS, Inc. notified affected hospitals that their patient's personal identifying information may have been subject to this incident.

On May 24, 2019, OS, Inc. began mailing individual notifications to each patient impacted. OS, Inc. is offering free access to Kroll’s fraud consultation and identity theft restoration services. Kroll can be contracted at (866) 775-4209, Monday through Friday from 8:00 a.m. to 5:30 p.m. with any questions.

OS, Inc. can be contacted by mail at:
PO Box 311
Pewaukee, WI 53072

Columbus Community Hospital patients may contact Andrea Link, Privacy Officer at CCH by calling (920) 623-2200 with any questions related to this incident.

Fort Healthcare patients may call (920) 568-6583 or (877) 324-2175 Monday through Friday from 8:00 a.m. to 5:00 p.m. Central Time.

Sauk Prairie Healthcare patients may call (608) 643-3311.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

April 22, 2019

January 2019

Inmediata Health Group, Corp.

Name, address, date of birth, gender, dates of service, diagnosis codes, procedure codes, and treating physician.

Who's Affected Details

Unknown number of affected individuals including an unknown number of Wisconsin residents.

In January 2019, Inmediata Health Group, Corp (Inmediata) became aware that some of its member patients’ electronic health information was publicly available online. When Inmediata became aware of this they immediately deactivated the publicly accessible website.

On April 22, 2019 Inmediata sent notification letters to patients who were affected by this data breach.

​Inmediata can be reached at 1-833-389-2392, Monday through Friday, 9:00am-6:30pm EST.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


April 2019

Date Public Notified Date of Breach Company Data Stolen

April 9, 2019

March 29, 2017, to January 9, 2019 and February 12-19, 2019.

Canyon Bakehouse LLC

Names, payment card numbers, expiration dates, and CVV codes.

Who's Affected Details

Approximately 12,000 individuals were notified including 295 Wisconsin residents.

On March 1, 2019 Canyon Bakehouse LLC became aware of malware installed on their systems that affected payment card data. Canyon Bakehouse LLC reported that unknown third parties gained unauthorized access to their computer systems compromising some payment card information. Canyon Bakehouse LLC has temporarily disabled the ordering and account login functions on their website until the security can be upgraded.

On April 9, 2019 Canyon Bakehouse LLC mailed notification letters to those affected and is offering one year of credit monitoring and identity theft resolution services through Experian’s IdentityWorks.

Canyon Bakehouse LLC can be reached at (970) 461-3844 ​

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


January 2019

Date Public Notified Date of Breach Company Data Stolen

February 15, 2019

January 3, 2019 through January 24, 2019

North Country Business Products, Inc.

Cardholder's name, payment card number, expiration date, and CVV code.

Who's Affected Details

Unknown number of affected individuals including an unknown number of Wisconsin residents.

On January 4, 2019, North Country Business Products, Inc. learned of suspicious activity occurring within certain client networks. North Country launched an investigation and on January 30, 2019, the investigation determined that an unauthorized party was able to deploy malware to certain North Country business partners and restaurants between January 3, 2019, and January 24, 2019, that collected credit and debit card information.

North Country can be reached at 1-877-204-9537, Monday through Friday (excluding U.S. holidays), 9:00 a.m. to 9:00 p.m. EST.

North Country’s business partners located in Wisconsin:

  • Dunn Brothers Coffee of Hudson, WI (Transactions Occurring from 1/4/2019 to 1/10/2019)

  • Dunn Brothers Coffee of New Richmond, WI (Transactions Occurring on 1/4/2019)

  • Dunn Brothers Coffee of West Bend, WI (Transactions Occurring on 1/4/2019)

  • East Bay Restaurant & Bar of Holcombe, WI (Transactions Occurring on 1/4/2019)

  • Sconni’s Alehouse And Eatery of Schofield, WI (Transactions Occurring on 1/4/2019)

  • The Ranch Supper Club of Hayward, WI (Transactions Occurring on 1/4/2019)

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.