Healthcare Data Breach Analysis - #5

Healthcare Data Breach Analysis - #5 - Types of Breaches

by adgrooms on January 14, 2020

We have been putting together a report on healthcare data breaches by analyzing data from the Department of Health and Human Services breach portal. Our progress so far has included looking at the numbers from the perspective of geography, entity, and cost. In this post, we look at the breach types. It is common to think of a breach as just stealing PHI to be sold on the dark web. But there are several ways patients' health information can be compromised, deliberate and accidental. Reported breaches include these types:

Hacking/IT incident - Bad actor gains access through hacking and stealing records. This is done by phishing, malware, viruses, keystroke logging, and other methods.

Theft - Someone steals a computer, hard drive, mobile device, or paper files containing PHI. Theft of laptops from cars is one that occurs multiple times in the descriptions of the breaches.

Loss - The equipment, media or data itself is lost and unaccounted for. This could be the result of theft, an accident, or something that was simply misplaced.

Improper Disposal - Data was not completely destroyed when disposed of. For example, throwing old paper records in the dumpster is a HIPAA violation because a bad actor could obtain the records from the garbage.

Unauthorized Access/Disclosure - This includes accidentally making PHI visible to unauthorized people. It also includes people that don't have the authorization to view PHI that improperly gain access.

Looking at the total number of breaches over the past 10 years, theft is the cause of the most breaches followed by unauthorized access/ disclosure with hacking/ IT incidents close behind.

Total Number of Incidents by Breach Type

The number of individuals affected shows that by far, the largest number of individuals are impacted by hacking/IT incidents, affecting about 182 million individuals in the past 10 years. Although this chart makes the others look insignificant, Theft, improper access/disclosure, and loss also affect millions of individuals.

Total Number of Individuals by Breach Type

Combining these data points we can see the average number of individuals per type of breach. Once again Hacking/IT incidents takes the top spot with the most individuals affected on average per incident.

[AVERAGE # OF INDIVIDUALS PER BREACH TYPE]{F5292} Average Number of Individuals by Breach Type

This perspective of the data gives a good look at the variety of challenges institutions face protecting healthcare data. There is a lot of media coverage and urgency about hacking/IT incidents, probably because of the volume of people it can affect in a single incident. Other types, especially theft, are surprisingly common and affect many individuals. Tomorrow we will take a deeper look at the breach data including other factors such as incidents by the media type and incidents by state.

Tags: PHI,security,healthcare it
Permalink | Last updated on January 14, 2020

Daily insights for healthcare leaders seeking a cure for physician burnout