If you think the healthcare industry is the only sector plagued by data breaches involving protected health information, think again. An analysis from Verizon Enterprise Solutions finds that 90 percent of studied industries have experienced a PHI data breach outside of traditional healthcare settings.
Of the 20 sectors that Verizon evaluated, only two—the utilities and management industries—had no reported PHI breaches. “It was surprising to see how broad the problem is,” says Suzanne Widup, lead author of the Verizon 2015 Protected Health Information Data Breach Report which is slated for release in December. “It’s probably a surprise to the organizations that are suffering these kinds of breaches as well.”
According to Widup, PHI compromised in non-healthcare environments include health insurance information taken from personnel files, as well as workers compensation and employee program data.
“A lot of organizations focus on the information they get from customers in their core business processes and they’re not thinking about the fact that they also have PHI from their employees. And, so a lot of times it’s not very well secured,” says Widup. “It’s a blind spot for a lot of organizations that they even have this kind of data.”
While healthcare organizations have the most familiarity with HIPAA rules and are more focused on PHI data, she reports that providers and payers still had a large number of breaches. “One of the things that seem to come up with healthcare on a regular basis is lost and stolen devices and their lack of encryption,” Widup asserts.
Verizon took a worldwide view of the problem of PHI data breaches, collecting incidents from 25 countries to produce the report and including analysis of confirmed breaches involving more than 392 million records and 1,931 incidents.
“There’s a large bias in the data for the U.S.,” adds Widup, who notes that Verizon’s report contains data from the Department of Health and Human Services incident database as well as a significant number of incidents from the Department of Veterans Affairs as reported to Congress. “But, we have not found in our research that hackers really care what country the data is stored in. They care more about how they can get to it and how the data is stored and processed.”
Likewise, she reveals that hackers don’t care about the size of the organizations involved regardless of the industry. “There’s companies out there where people are thinking they are too small to be targeted,” says Widup, which is a mistake. At the same time, Verizon found a large percentage of PHI data breaches were caused by employee error and she warns that “it doesn’t take someone targeting you to have a PHI breach.”
Not surprisingly, according to the report hackers are largely financially motivated and while medical record data is often taken with malicious intent, it is frequently the personally identifiable information that they are after. “They’re following the kind of data that they can easily monetize,” argues Widup. “A lot of times, it’s going after something like a Social Security number but they happen to get a medical record as part of the data haul. They’re obviously going to take everything because the medical data is so rich and they can sell it on the black market.”
In the hands of cybercriminals, the data serves as a wealth of information that can be used for financial fraud, identity theft, as well as tax fraud. Widup says that while medical identity theft is not as common, it remains a serious and growing problem that can go beyond financial damages.
“It corrupts the integrity of the medical record of the person whose identity they’ve stolen and it can potentially wind up being life-threatening, depending on how it’s corrupted,” she warns. “If someone else’s data is in the record that doesn’t apply to the patient, the care givers are going to trust what they see in the record.”
In related news, four U.S. senators this week sent a letter to the Centers for Medicare and Medicaid Services and HHS Office for Civil Rights asking the agencies what they are doing to support and protect victims of medical identity theft.
“We share concerns about the Americans who are at a greater risk of medical identity theft as a result of the growing number of data breaches at healthcare organizations,” wrote Sens. Lamar Alexander (R-Tenn.), Orin Hatch (R-Utah), Patty Murray (D-Wash.), and Ron Wyden (D-Ore.). “Data breaches in the healthcare industry have surged in the past year due to major cyber attacks.”
The senators noted that five incidents alone—Anthem, CareFirst, Excellus, Premera, and UCLA Health System—potentially affected 105 million individuals. “We are concerned that data theft will continue to rise and will result in an increase in medical identity theft.”
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access