Skip to content Skip to navigation

Healthcare Accounted for 39% of Data Breaches in 2015; High Value of Data Attractive to Cyber Criminals and Identity Thieves, Reports Say

April 13, 2016
by Heather Landi
| Reprints
Identity Theft Resource Center data report states there is a connection between the growing trend of healthcare breaches exposing Social Security numbers and the increase in tax-related identity theft.
Click To View Gallery

The largest number of data breaches in 2015 took place within health services, comprising 39 percent of all breaches last year, according to an Internet Security Threat Report from Symantec, which also reports that ransomware increased 35 percent in 2015 and that cyber criminals are using more sophisticated attacks.

For the report, Symantec researchers identified and analyzed emerging trends in cyber attacks, malicious code activity, phishing and spam. The report examine multiple facets, including targeted attacks, smartphone threats, social media scams, and Internet of Things (IoT) vulnerabilities, as well as attackers’ tactics, motivations and behaviors.

Within health services, there were 120 breaches in 2015 with 4.1 million identities exposed, the report states.

According to the report authors, the number of identities exposed is relatively small in the healthcare industry, representing only 1 percent of all identities exposed in data breaches last year. For instance, with the social services industry, there were six data breaches exposing 191 million identities and within the insurance carriers sector, there were 17 data breaches exposing 100 million identities in 2015.

“Such a high number of breaches with low numbers of identities tends to show that the data itself is quite valuable to warrant so many small breaches,” the authors stated, referring to the healthcare industry.

And, the report authors highlight that the large number of breaches reported in healthcare comes as no surprise, given the strict rules within the healthcare industry regarding reporting of data breaches.

Health services also ranked at the top of the list of high risk industries based on the number of incidents caused by hacking or insider theft, which indicates that the motive was to steal data, as opposed to data being accidentally exposed.

Specifically addressing data breaches and privacy, the report found that the total number of breaches has risen slightly by 2 percent last year and 2015 also saw nine mega-breaches (breaches containing more than 10 million identities), surpassing 2013’s record of eight breaches. And, the overall total number of identities exposed has jumped 23 percent to 429 million. However, the researchers point out that this number is likely higher due to the increasing tendency of organizations to limit the information released about the extent of any breaches they suffer.

The more details someone has about an individual, the easier it is to committee identity fraud, which is why criminals are targeting insurance, government and healthcare organizations, the report stated. Researchers looked at what types of information cyber criminals are going after and real names are still the most common type of information exposed, present in more than 78 percent of all data breaches. Home addresses, birth dates, government IDs, such as social security numbers, medical records and financial information all appear in 30 to 40 percent of all data breaches.

To this end, a separate study about identity theft attests that there is a connection between the growing trend of healthcare breaches exposing Social Security numbers and the increase in tax-related identity theft. The healthcare industry was single-handedly responsible for 16.6 percent of the 245.2 million records exposing individuals’ SSNs, offering low-hanging fruit to identity thieves, according to a new report from the Identity Theft Resource Center (ITRC) and IDT911.

Of the more than 176.5 million medical and healthcare records exposed since 2005, slightly more than 1.5 million have been physically stolen since 2014. More than 131 million records have been exposed due to hacking since 2007 and 17.2 million have been exposed by Data on the Move, the report stated. And, employee error/negligence and insider theft resulted in a total of 371 healthcare-related breaches.

According to the ITRC’s Data Breach List, so far in 2016, across all industries, there has been 6,013 reported data breach incidents, with nearly 6.2 million records compromised—adding to the more than 851 million records exposed over the last decade. And, the common thread is the exposure of personal identifying information (PII), with 32.7 percent of breaches compromising SSNs and 13 percent exposing credit card or debit card information.

And, the ITRC report found that the IRS experienced a 400 percent surge in tax-related phishing and malware incidents during January and February of this year.

“Tax refund fraud continues to rise creating almost unbearable issues for victims nationwide. It is our belief that the 575 healthcare breaches since 2010 – that have exposed more than 142 million social security numbers – are contributing to this increase,” Eva Velaquez, CEO of ITRC, said in a release about the study.

“Companies need to create a culture of privacy and security from the mailroom to the boardroom, Adam Levin, chairman and founder of IDT911, said in a statement. “That means making the necessary investment in hardware, software and training. Raising employee cyber hygiene awareness is as essential as the air we breathe. Similarly, consumers should be on high alert and practice the 3 M’s: minimize their risk of exposure, monitor their accounts and have a damage control program in the event they are compromised.”

The Symantec Internet Security Threat Report found that cyber attackers are targeting businesses both large and small, in fact, the last five years has shown a steady increase in attacks targeting businesses with less than 250 employees. And, the number of spear-phishing campaigns targeting employees increased 55 percent in 2015.

Symantec researchers discovered more than 430 million new unique pieces of malware in 2015, up 36 percent from the year before. Ransomware has become a big topic in 2016, and the report finds that Cypto-ransomware attacks increased 35 percent in 2015. “Last year, we saw Cryp­to-ransomware (encrypting files) push the less damaging locker-style ransomware (locking the computer screen) out of the picture. An extremely profitable type of attack, ransom­ware will continue to ensnare PC users and expand to any network-connected device that can be held hostage for a profit. In 2015, ransomware found new targets and moved beyond its focus on PCs to smart phones, Mac, and Linux systems. Symantec even demonstrated proof-of-concept attacks against smart watches and televisions in 2015,” the Symantec researchers wrote.

The report also states that researchers have found potentially deadly vulnerabilities in dozens of devices such as insulin pumps, x-ray systems, CT scanners, medical refrigerators and implantable defibrillators.





ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.