Verizon’s PHI Data Breach Report, which analyzed 392 million records and 1,931 data breaches, found 90% of all industries have experienced a PHI-related breach.
Most of the reviewed incidents – which all were publicly-disclosed breaches -- occurred between 2004 and 2014, but the oldest reviewed record occurred in 1994. Records were selected if their industry was “healthcare,” the data type lost was “medical records,” or the data subject/victim relationship was “patient.”
Among the 20 industries demarcated by the North American Industry Classification System codes, only utilities and management industries did not report a PHI breach, according to the data reviewed in the report. “That was a surprise to us,” Suzanna Widup, senior consultant of network and information security for Verizon’s RISK Team and the study’s lead author, told Healthcare Dive. “Usually when you think of PHIs, you think of healthcare and insurers.”
The lion’s share of PHI breaches did occur, however, in the healthcare industry, with 1,403 incidents reported. In terms of size, 573 were small breaches and 339 were large breaches.
The next largest industries in number of breaches were the “public” industry (177) and the finance industry (113). Widup told Healthcare Dive that other industries may be surprised to find out their data can be considered PHI. Companies that don’t have a specific healthcare focus and different intellectual probably “don’t realize they have such data in their organization,” Widup said. This included data like email addresses, names, addresses, biometric data or IP addresses in documents for workers’ wellness programs or workers’ compensation.
According to the report, personable identifiable information, not medical data, is what attackers want when breaching medical records. They can then use this information for financial and tax fraud. “A lot of the theft of personal data from healthcare organizations is not linked to healthcare [for medical fraud purposes] but [because] it’s a good source of information” to make criminals money, said Stephen Cobb, senior security researcher from ESET, in an interview with Healthcare Dive during the HIMSS Connected Health Summit this fall.
“If you’re going to set up mobile access to health or wellness data…you have to have privacy policies around that and securities to protect them,” Cobb added. “Otherwise, your startup which is going gangbusters with a million users [on your] new health app [could be] the next leak…and you’re toast because you didn’t suitable privacy policy.” Cobb noted the FTC is currently looking for cases to set precedent over the exposure of healthcare data.
Widup recommended healthcare organizations should take a page out of other industries like retail and finance to secure point-of-sale transaction as this is an area hackers attack. These incidents can occur when an individual pays for their healthcare service or buys something from a hospital's cafeteria or gift shop.
The report reviewed 25 countries yet found a “strong U.S. bias to the data” as 87% of the incidents were from the U.S. However, the report was quick to note the U.S. bias can be useful around the globe. “Our data has consistently shown that adversaries' tactics are influenced by the data they are interested in, as well as the assets that process and store the data —not the country in which the data resides,” the report stated. “Attack methods are not tied to latitude and longitude —human error, a major cause of breaches, is a global phenomenon too.”