- There was a record number of healthcare data breaches reported in 2016, with unauthorized disclosures accounting for the majority of those incidents, according to the Bitglass 2017 Healthcare Breach Report.
Hacking and IT incidents still pose the largest risk to healthcare organizations though, as the volume of records leaked from hacking is greater than all other breach events combined.
The third-annual breach report gathered data from the HHS database that gathers healthcare breach disclosures. There were 328 reported data breaches in 2016, an increase from the previous record of 268 from 2015.
A total of 16.6 million Americans were affected by the 2016 breaches, a significant decrease from the over 30 million affected by such incidents in 2015. That is when excluding the large-scale Anthem data breach that impacted 78 million individuals.
Unauthorized disclosure, hacking and IT incidents and loss/theft were the next most common data breach causes.
“Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier,” report authors explained. “Unauthorized disclosures includes all non-privileged access to PII or PHI.”
The five largest data breaches in 2016 were from hacking or IT incidents, meaning that 80 percent of compromised records came from hacking, the report showed.
The largest healthcare data breach from 2016 took place at Banner Health, where approximately 3.6 million individuals were impacted by a cybersecurity attack.
The incident was discovered on July 13, 2016, but a third-party forensics investigation found that the initial attack occurred on June 17, 2016.
There were “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets” affected in the attack.
2017 is off to a similar start as 2016, as the Q1 numbers found that the top breach thus far is from theft and the four next largest breaches are due to hacking.
“Network servers are almost always the target for hacking related breaches,” the report authors wrote. “For the many healthcare firms that rely on premises-based apps, security is often lacking.”
Citing data from the Ponemon Institute, the report showed that the average cost per leaked record for healthcare organizations hit $402 last year. In comparison, the average data breach in the US costs $221 per lost record.
“Security has become among the top priorities for healthcare firms across the nation,” noted researchers. “Complacency is not an option where malicious individuals can take advantage of application and infrastructure vulnerabilities to access PHI.”
Identity theft is not always the main reason for cybercriminals to seek PHI, the report authors pointed out. Malicious attacks may attempt to access medical care in someone else’s name, or could conduct corporate extortion with stolen PHI.
"Breaches and information leaks are unavoidable in every industry, but healthcare remains one of the biggest targets," Bitglass CEO Nat Kausik said in a statement. "While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach events."
These findings are similar to an earlier Bitglass report, which showed that one in three surveyed IT professionals said that they had been hacked more than five times in the past 12 months.
Approximately half of respondents also said that their organization planned to increase their overall security budgets.
“More organizations in the retail and tech sectors are spending a large proportion of budgets on security than in other verticals,” the second report authors explained. “Security conscious industries including finance and healthcare aren’t far behind, where security budgets continue to grow rapidly.”