- Unintended data disclosure, such as emails containing PHI sent to the wrong recipient or servers left publicly accessible, accounted for 41 percent of reported health data breaches the first nine months in 2017, according to research from Beazley.
The second most common issue was from hacking or malware incidents (19 percent), followed by insider incidents (15 percent), and physical loss (8 percent).
Organizations need to understand the underlying causes of data breaches so necessary mitigation and management techniques can be put in place, Beazley Breach Response Services Global Head Katherine Keefe explained.
“All organizations face the reality that data breaches have become inevitable,” Keefe said in a statement. “And the stakes are high: they hold personal data on trust for customers, employees and patients. The volume of protected health information maintained by healthcare organizations and the digitization of electronic health records have increased the vulnerability for large breaches.”
There has also been a dramatic increase in social engineering attacks, the Beazley Breach Insights report showed. Social engineering attacks increased nine-fold, and largely stemmed from fraudulent instruction incidents and W-2 scams.
“Organizations can combat social engineering attacks by training employees to better recognize phishing emails, encouraging that wire transfer requests be verified by phone if new bank account information is provided, and implementing two-factor authentication to prevent unauthorized users from using stolen credentials to log into email remotely,” report authors explained.
Unintended disclosure was also the leading cause of reported incidents in 2016, with hacking or malware incidents rounding out the second spot. The same trend occurred in 2015, but there was not as far of a gap, as approximately one-third of incidents stemmed from unintended disclosure and about 27 percent were caused by hacking or malware.
Citing data from OCR HIPAA settlements, report authors explained that agreements average $1.8 million. There were 13 resolution agreements made in 2016, and there have so far been nine in 2017.
Conducting regular security risk assessments, updating policies and procedures, and ensuring business associate agreements are in place and current are some of the top takeaways from the OCR settlements, researchers maintained.
Along with the potential costs from an OCR investigation following a data breach, healthcare organizations have to deal with the costs associated with compromised health records.
Healthcare data breaches cost organizations $380 per record, according to the 2017 Cost of a Data Breach Study: Global Overview. That cost is also more than 2.5 times the global average across industries at $141 per record.
Sponsored by IBM Security and conducted by Ponemon Institute, the Cost of a Data Breach study also found that US data breaches cost companies an average of $225 per compromised record. The total average organizational cost of data breach also reached a new record at $7.35 million.
Ponemon and IBM found that 52 percent of US data breaches were caused by malicious or criminal attacks, while human error and system glitches each accounting for 24 percent.
Malicious or criminal attacks were also the most costly, having an average per capita data breach cost of $244, the report found. System glitches or human error had per capita costs at $209 and $200, respectively.
"Data breaches and the implications associated continue to be an unfortunate reality for today's businesses," Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement. "Year-over-year we see the tremendous cost burden that organizations face following a data breach.”
“Details from the report illustrate factors that impact the cost of a data breach, and as part of an organization's overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services."