Healthcare Data Breaches From Cyberattacks, Criminals Eclipse Employee Error For The First Time

New Ponemon Report reveals just how hot healthcare data is for hackers.

Cybercriminals and nation-state actors are indeed targeting healthcare organizations for their valuable data:  cyberattacks and physical criminal activity now have officially surpassed insider negligence as the main cause of a data breach in healthcare organizations.

The Ponemon Institute's new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published today, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. That's a first, since employee or insider negligence -- user errors, lost laptops and thumb drives, etc. -- accounted for the majority of breaches last year and in years past, according to Ponemon.

More than 90% of healthcare organizations surveyed by Ponemon in its report has suffered at least one data breach exposing patient data over the past two years, while 39% had been hit by two- to five breaches, and 40% had suffered more than five breaches during that timeframe. Security incidents (without an actual data breach) occurred at 78% of healthcare organizations.

About 45% of those breaches came via criminal attacks; 43% by lost or stolen computing devices; 40% via employee mistakes; and 12% via a malicious insider.

The cost of all of this healthcare breach-mania? Some $6 billion per year, with an average cost of $2.1 million per healthcare organization, according to the report, which was commissioned by ID Experts.

"For the first time, criminal attacks constitute the number one root cause [of data breaches], versus user negligence/incompetence or system glitches," says Larry Ponemon, chairman and founder of Ponemon Institute. "Ninety-one percent had one or more breach in the last two years, and some of these are tiny, less than 100 records, but they are still not trivial."

Healthcare organizations also are regularly battling security incidents, such as malware infections. Some 65% say they were hit with cyberattacks in the past two years, and half suffered incidents involving paper-based security incidents. They're not confident in their incident response capabilities, either, with more than half saying their IR isn't adequately funded or manned. And one-third don't have an IR plan at all.

Lost and stolen devices were a problem at 96% of healthcare organizations in the study, as was spear phishing (88%).

The report also surveyed business partners and associates of healthcare organizations. Nearly 60% of these businesses -- patient billing, claims processing, health plan, and cloud services, for example -- had been hit by data breaches, 14% of which had suffered two- to five breaches, and 15%, more than five during a two-year period. More than 80% of them were hit by Web-based malware attacks.

Rick Kam, president and co-founder of ID Experts, says the bad guys are going after healthcare records because they are so valuable. While a stolen credit card can go for a dollor or less in the underground, a patient's pilfered health credentials can bring in as much as $10, according to some experts.

"Data breaches like Anthem's are rare events," Ponemon says. "The types here [in this report] are mostly smaller-sized breaches."

The bad guys are after insurance information for insurance fraud, as well as employee data from the healthcare providers. "We've seen a huge increase in" abuse of employee data, ID Experts' Kam says. "In the last month and a half, we've seen a 100% increase in tax fraud."

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights