Stolen medical information affects 18 out of 20 industries examined in a report from Verizon Enterprise Solutions, according to a news release.

OT_News-01However, the report found, many organizations outside of healthcare do not realize they even keep protected health information. Common sources of PHI are employee records (including workers’ compensation claims) or information for wellness programs, and the data are generally not well protected, according to the report.

These findings are part of a first-time report from Verizon’s Data Breach Investigations Report team that provides a detailed analysis of confirmed PHI breaches involving more than 392 million records and 1,931 incidents across 25 countries, according to the release. For the report, PHI was considered information on an individual that is covered by state, federal or international data breach laws.

For the report, authors analyzed PHI data breaches in the healthcare industry including ambulatory healthcare services, hospitals, nursing and residential care, and social assistance across North America, Europe and the Asia-Pacific region.

“Many organizations are not doing enough to protect this highly sensitive and confidential data,” Suzanne Widup, senior analyst and lead author for the report, said in the release. “This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organizations and individuals. Protected health information is highly coveted by today’s cybercriminals.”

According to past studies cited in the report, people are withholding information — sometimes critical information — from their healthcare providers because they are concerned there could be a data breach.

“Healthcare organizations need to realize that patients trust them with their data and if that trust is broken, the implications can be huge,” Widup said in the release.

The report cites an example in which an unwillingness to fully disclose information could delay a diagnosis of a communicable disease. This scenario is especially true if the disease has an attached social stigma, according to the release.

How PHI breaches are different

PHI breaches stand out from past DBIR reports in a number of ways, according to the report. One area of difference is who is carrying out the attacks. In PHI breaches, the number of external and internal actors is nearly equal with 5 percentage points difference, meaning there is a lot of insider misuse, according to the report.

According to the findings, medical record data often are taken with malicious intent; however, it is frequently the personable identifiable information, such as credit card and social security numbers, that attackers are really after to commit financial crimes and tax fraud.

The report authors also found differences in the way a breach occurs. The primary action of attack is theft of lost portable devices (laptop, tablets, thumb drives), followed by error, which could be sending a medical report to the wrong recipient or losing a laptop. The third most common is misuse such as an employee who abuses access to the information. These three actions are behind 86% of all PHI data breaches, the report found.

The authors also point out it often can take months and sometimes years to detect a data breach. For incidents taking years to discover, they were three times more likely to be caused by an insider abusing their LAN access privileges and twice as likely to be targeting a server, particularly a database.

Nearly half of the U.S. population has been affected by breaches of PHI since 2009, the authors wrote. They also cite an FBI warning to healthcare providers in early 2015 stating the healthcare industry is not as resilient to cyber intrusions compared with financial and retail sectors, so increased cyber intrusions are “likely.”

The report authors suggest healthcare organizations assess their processes, procedures and technologies to better protect PHI data.

The full report can be found here: