Insider negligence is no longer the number one cause of data breaches in the healthcare industry—cybertheft and physical theft have now claimed the dubious honor.

The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data shows that healthcare information has become a prime target for malicious hackers, with lone cybercriminals and nation-state actors eager to illegally access valuable data. According to the report’s synopsis:

“Cyber criminals recognize two critical facts about the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) they do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect healthcare data.”

The Ponemon study found that close to 45% of all data breaches in healthcare are due to criminal activity such as cyber criminal and nation-state hacks, malicious insiders, and physical theft, with a 125% increase in such activity over the past five years.

Insider negligence—user errors, falling victim to social engineering schemes, lost or misplaced devices, and etc. had been the primary cause of breaches in years past.

Healthcare Data Breach Stats

More than 90% of healthcare organizations surveyed by Ponemon had experienced at least one data breach exposing patient data over the past two years, 39% had been hit by two to five breaches, and 40% had experienced more than five breaches during that timeframe.

Security incidents (without an actual data breach) occurred at 78% of healthcare organizations. Web-borne malware attacks caused security incidents for 78% of healthcare organizations.

Lost and stolen devices were a problem at 96% of healthcare organizations in the study, as was spear phishing (88%).

About 45% of breaches were attributed to criminal attacks, 43% were attributed to lost or stolen devices, 40% were caused by employee mistakes, and 12% were carried out by a malicious insider.

Sixty-five percent of healthcare organizations experienced electronic information-based security incidents over the past two years. Fifty-four percent of healthcare organizations suffered paper-based security incidents.

The Consequences Of Healthcare Data Breaches

Poneman estimates that data breaches could be costing the industry $6 billion. According to the report’s findings, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million.

Medical identity theft has nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. A significant number of medical identity theft victims report they have spent an average of $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims, and correct inaccuracies in their health records.

The standard response to a breach that exposes consumer data is the offer of free credit report monitoring and/or ID theft protection. But Poneman found that nearly two-thirds of healthcare organizations do not offer any protection services for patients whose information has been breached.

Half of all healthcare organizations reported that they have little or no confidence in their ability to detect all patient data loss or theft. In addition, the majority of organizations have not performed the federally-mandated risk assessment for security incidents. And only 40 percent of healthcare organizations said that they were concerned about cyber attackers.

Healthcare organizations should understand that the data they capture and store is of real value to criminals. Health records are priced significantly higher than stolen credit cards are on the underground market. Stolen health records can be leveraged to commit insurance fraud, tax fraud, and identity theft.

BAI Security offers security assessments, breach analysis, compliance control checks, and security training to the healthcare industry. Find out more about our proactive data protection services now.