90% Industries Experience Patient Data Breaches: Study

by CXOtoday News Desk    Dec 18, 2015


Medical data breaches are not just common in hospitals and health clinics. Some 392 million health records have been accessed in 1,931 protected health information breaches across a staggering 90 percent of industries, according to findings from a new Verizon report.

These industries, across 25 countries including India, have seen health insurance information, personnel files or other data outside of traditional healthcare settings or industries stolen, the study shows. This clearly sugests common sources of protected health information are employee records (including workers’ compensation claims) or information for wellness programs and are generally not well protected.

Portable devices including laptops and flash drives continue to be a favored target of criminals, and while encryption offers a safe harbor by protecting the data even when the asset is compromised, we still see this as a leading cause of incidents year after year.

“Many organizations are not doing enough to protect this highly sensitive and confidential data,” said Suzanne Widup, senior analyst and lead author for the Verizon Enterprise Solutions report.

“This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals.”

According to recent studies called out in the report, people are withholding information – sometimes critical information – from their healthcare providers because they are concerned that there could be a data breach.

“Healthcare organizations need to realize that patients trust them with their data and if that trust is broken, the implications can be huge,” Widup added.

For example, the report points out, an unwillingness to fully disclose information could delay a diagnosis of a communicable disease. This is especially true if the disease has an attached social stigma.

PHI breaches stand out from prior DBIR data sets in a number of ways. One area of difference is who is carrying out the attacks.  In PHI breaches, the number of external and internal actors is nearly equal with just 5 percentage points difference, meaning there is a lot of insider misuse. 

According to the report’s findings, medical record data is often taken with malicious intent; however, it is frequently the personable identifiable information (PII), like credit card and social security numbers, that attackers are really after in order to facilitate financial crimes and tax fraud. 

Differences are also evident in how the breach occurs.  The primary action of attack is theft of lost portable devices (laptop, tablets, thumb drives), followed by error which can simply be sending a medical report to the wrong recipient or losing a laptop. Third is misuse that can result from an employee that abuses his/her access to the information. These three actions make up 86 percent of all breaches of PHI data. 

In addition, the time to discovery most frequently falls into the months and sometimes years category.  For those incidents taking years to discover, they were three times more likely to be caused by an insider abusing their LAN access privileges and twice as likely to be targeting a server, particularly a database.

While detailed health records make it easier for criminals to engage in both identity theft and medical billing fraud, the media and industry researchers continue to shine a light on the loss of highly personal data in order to bring much needed attention to this issue.

“We believe that to achieve true information security, it is essential that a company implements an ongoing information security program which incorporates people, processes, and technology to address its enterprise-wide business operations and employs appropriate measurements to manage and improve program effectiveness on a continual basis.

Reliable and high-fidelity cyber-intelligence, which can be attained from network intelligence is critical to detecting targeted cyberattacks and to implementing a timely and effective response.” said Ashish Thapar, Managing Principal, RISK Services - APAC, Verizon Enterprise Solutions.