In our ongoing look at data breach information from the past ten years, we have looked at the types of breaches over time. In this post, we will look at the types again, and this time, look more closely at how the type and location (or media) of the breach are related. As a reminder, the data we are working with are reported data breach incidents where the personal health information (PHI) of 500 or more people was compromised.
Breach by theft decreased since the beginning of the reporting period, especially laptops, which have consistently been the top media for theft. Paper/films have been in second place since its peak in 2014, also seeing a steady reduction in the number of incidents per year.
Most media formats have seen an increase in unauthorized access/disclosure over the past 10 years. Paper/films, email, and other were the most common location for an unauthorized access/disclosure breach in 2019 with numbers between 30 and 40 breaches each. It is important to note that this includes access and disclosure. Data can be accessed improperly by people within an organization as well as outside the organization. Additionally, disclosure could be anything from wrong addresses on mailings to a database of patient information accidentally left accessible on the internet to the general public.
Loss as the cause of a breach is most prevalent in paper/films and 'other portable devices' (everything but laptops). Although the number of incidents is growing smaller, these two categories account for 11 incidents in 2019.
Improper Disposal of Paper/Films has bounced between 4 and 10 incidents in the reporting period. There are also sporadic Improper Disposal incidents reported from the other locations. When looking at specific incidents, paper records are sometimes not destroyed, which is the proper method of disposal. For electronic media, the hard drive may not have been erased before disposal, potentially allowing patient information to be found and accessed.
Taking a look at hacking/IT incidents, we see that email breaches take a sharp upward trend after 2016. From 2018-2019 this area of vulnerability grew from 90 to 153 incidents. Is this due to sheer increase in attempts or increasing effectiveness of email hacking techniques? Servers are also a frequent target. Although there was a significant reduction from 2017-2018, a new record was set in 2019, over 100 hacking/IT incidents. Desktop computers, EMR, and other have also become regular targets in the last ten years.
The trends show us the changing challenges of protecting patient data. While there is more electronic data, paper is still vulnerable to breaches. Databases are a major hacking target, but laptops containing patient information are still vulnerable to theft. In a future post, we will look at some specific cases to better understand the nuances of the data and the variety of ways that breaches happen.