Hackers accessed medical records of 1 in 3 Americans in 2015

Register now

Healthcare records for one in three Americans were breached last year, with records of nearly 112 million people affected by hackers, compared with only about 1.8 million individuals in 2014.

That’s the finding of cybersecurity vendor Bitglass, which did a data analysis of the breach disclosure database maintained by the Department of Health and Human Services and required by HIPAA.

Overall, 113 million Americans fell victim to all forms of health data breaches in 2015, compared with just 12.5 million in 2014. Large-scale hacks represented 98 percent of data breaches in 2015; most notably last year’s cyber attack on Anthem exposed nearly 79 million records, and Premera Blue Cross records were compromised, affecting 11 million individuals. Both were the result of phishing attacks.

2015 saw a significant jump in healthcare hacking and IT theft incidents, rising from 31 in 2014 to 56 such incidents last year. At the same time, only 97 breaches in 2015 were a result of lost or stolen devices, down significantly from 140 in 2014, which accounted for 68 percent of health data breaches that year.

According to Bitglass, there are tremendous financial incentives for cyber criminals to target protected health information, which includes sensitive information such as Social Security numbers, medical record data, and dates of birth. On average, healthcare records for sale on the black market sell for 10 times the amount that credit card numbers fetch.

"The 80 percent increase in data breach hacks in 2015 makes it clear that hackers are targeting healthcare with large-scale attacks," said Nat Kausik, CEO of Bitglass. "As the IoT revolution compounds the problem with real-time patient data, healthcare organizations must embrace innovative data security technologies to meet security and compliance requirements."

Among other findings from the analysis, just 5 percent of healthcare organizations use single sign-on—a session/user authentication process that permits a user to enter one name and password in order to access multiple applications—such as for Google Apps or Office 365.

HIPAA requires covered entities to verify that a person seeking access to electronic protected health information has authorization. As ePHI becomes more widely available, the worry is that proper security measures are not being implemented to ensure the information is only accessible to those with the rights to access it.

For reprint and licensing requests for this article, click here.