- While the business sector led the way in reported data breaches for 2016, healthcare came in second by accounting for 34.5 percent of overall reported breaches, according to research from the Identity Theft Resource Center (ITRC) and CyberScout.
The business industry had a total of 494 reported data breaches, while there were 377 reported healthcare data breaches. Education came in third with 98 incidents, while the government/military had 72 reported breaches.
One of the leading causes for healthcare data breaches was employee error or negligence, with 43 reported incidents that exposed 1,183,893 records. In comparison, the second leading sector for employee negligence was the government/military, which had 14 breaches and exposed 35,800 records.
Subcontractors, third parties, and business associates were also a top factor for healthcare data breaches, the report found. The medical/healthcare industry had 16 breaches due to a subcontractor or third party, but approximately 4 million records were exposed. The government/military had the second highest amount of records affected with 95,463.
"For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks,” CyberScout CEO and Vice Chair of IRTC’s Board of Directors Matt Cullina said in a statement. “With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data. In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution."
Healthcare data breaches also exposed the most Social Security numbers, with 10.4 million records put at potential risk. There were 123 breaches that may have exposed SSNs, the report found, accounting for 11.3 percent of reported breaches.
SSN exposure was a leading concern for all industries, with 52 percent of the overall number of breaches in 2016 potentially putting SSNs at risk. This was an 8.2 percent increase from the number of exposed SSNs in 2015. Researchers noted that this increase aligns with the increase of CEO spear phishing attacks.
“While credit and debit card numbers can be changed, SSNs cannot,” CyberScout Chairman and Founder Adam Levin said. “Therefore, monitoring and damage control become even more important than ever before. Consumers must become better informed as to the risks inherent in this dangerous digital world, be more alert to the signs of individual compromise and know what to do to contain and reverse the damage or take advantage of identity theft protection services offered by their insurers, employers or financial services firms.”
Overall, hacking, skimming, or phishing attacks were the leading cause of data breach incidents, accounting for 55.5 percent of the overall number of breaches. This is a 17.7 percent increase from the 2015 findings.
The majority of such attacks stemmed from CEO spear phishing attempts, the report showed.
Accidental email or internet exposure was the second most common type of data breach for all industries, accounting for 9.2 percent of the reported total. Employee error came in third with 8.7 percent.
These results are similar to those found in a 2016 Experian Data Breach Resolution and Ponemon Institute report. In that survey, 55 percent of respondents in various industries said they experienced a security incident or data breach because of a malicious or negligent employee.
Approximately two-thirds – 66 percent – said that employees were also the biggest challenge to developing and implementing robust data security postures.
“Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches,” Experian Data Breach Resolution Vice President Michael Bruemmer said in a statement. “Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently.”
The Experian and Ponemon report also found that less than half of the surveyed companies require data security training for all employees. Just under one-third of respondents said that their organization required higher level executives, such as CEOs and C-level executives, to participate in data security training.