Connect with us

Hi, what are you looking for?



Patient Data Breaches Affect 90% of Industries: Verizon

Stolen medical information is an issue that affects 18 out of 20 industries, making the problem more widespread than previously believed, Verizon’s 2015 Protected Health Information Data Breach Report reveals.

Stolen medical information is an issue that affects 18 out of 20 industries, making the problem more widespread than previously believed, Verizon’s 2015 Protected Health Information Data Breach Report reveals.

According to the recently-released study, most organizations outside of the health sector don’t even know they hold this type of data, which includes protected health information such as employee records (including workers’ compensation claims) and information for wellness programs. After the healthcare sector, breaches of Protected Health Information (PHI) occur most often in the public, financial, retail, and educational industries.

Healthcare Data Breaches Verizon notes that when it comes to PHI breaches, there are numerous differences compared to other DBIR data sets. One example refers to the number of external and internal actors involved in such incidents, which is nearly equal, the difference between them being of only 5 percentage points, underlining the fact that the internal threat is alive and well, albeit some incidents might be accidental.

The report revealed that medical record data is often accessed with malicious intent, though attackers are usually going after personable identifiable information (PII) such as credit card and social security numbers. Cybercriminals can use this type of data to engage into financial crimes and tax fraud, yet they often also steal diagnosis information, lab results, treatment plans, and credentials.

Breaches can occur in multiple manners, but the top three most frequent ones making up 86 percent of all incidents. The most frequent (45.4 percent) is the theft or loss of portable devices such as laptops, tablets, and thumb drives; the second (20.3 percent) is misuse, where an employee can abuse their access to the patient information, while the third is error (20.1 percent), which can involve sending a medical report to the wrong recipient or losing a laptop.

When it comes to the time required to discover PHI breaches, Verizon has discovered that 33.2 percent of incidents can go undetected for months, while 18.75 percent are not discovered for years. Breaches in the latter category proved to be three times more likely to be caused by an insider abusing LAN access privileges and twice as likely to be targeting a server, particularly a database.

The report also cites studies pointing out to the fact that many people are withholding information from the healthcare providers because they fear data breaches. The unwillingness to fully disclose information could delay a diagnosis of a communicable disease, especially if that disease has attached social stigma.

Verizon says that nearly half of the population of the Unites States has been affected by breaches of PHI since 2009. Earlier this year, FBI warned healthcare providers that the industry is not as resilient to cyber intrusions compared to the financial and retail sectors, meaning that increased cyber intrusions are likely to affect organizations in this sector.

Advertisement. Scroll to continue reading.

Verizon’s Data Breach Investigations Report (DBIR) is based on data involving confirmed PHI breaches in 1,931 incidents across 25 countries. These incidents resulted in over 392 million records being disclosed, yet 24 percent of the involved organizations did not provide a finite number of records involved. 87 percent of the exposed data is from the U.S., since the U.S. Department of Health and Human Services (HHS) incidents were included in the report as well.

“Many organizations are not doing enough to protect this highly sensitive and confidential data. This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals,” Suzanne Widup, senior analyst and lead author for the Verizon Enterprise Solutions report, said.

The debate around the security of healthcare data has intensified as organizations in the sector have seen a rise in security incidents, with 48 percent in a study admitting in April that their organization either failed a compliance audit or experienced a data breach in the last year. Mid-year, Trend Micro revealed that the Stegoloader Trojan hit companies in the healthcare industry the most, while a Ponemon Institute report found that the cost of data breaches is higher in healthcare over other sectors.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...