Why Protected Health Information Is Not Just a Healthcare Issue
The fact that an organization is not in the healthcare industry or isn’t a HIPAA-covered entity doesn’t mean it’s not at risk of a PHI data breach.
This is just one headline finding from one of the best reports we’ve seen on PHI data breaches. If you really want to understand how PHI data breaches happen, who’s being targeted, what methods the bad guys are using, and what can be done to fight back, this is the report to read.
The 2015 Verizon Protected Health Information Data Breach Report is an in-depth, quantitatively sophisticated study that examines the problem of medical data loss. According to the report, “This is a far-reaching problem that impacts not only organizations that are victims of these breaches, but also doctor-patient relationships. And it can have consequences that spread more broadly than just those directly affected by the incidents.”
Here are some attention-getting excerpts from the report:
- The data set consists of 1,931 records taken from a combination of the Verizon Data Breach Investigations Report and the Vocabulary for Event Recording and Incident Sharing Community Database.
- To compile the dataset, the research team selected records that met any of the following criteria:
- The industry was “healthcare.”
- The data type lost was “medical records.”
- The data subject/victim relationship was “patient.”
- The dataset includes incidents from 25 countries, with 90% of the top-level NAICS industry codes represented. There were over 392 million records disclosed that we know of—since 24% of these organizations did not provide a finite number of records involved, the total could be much higher.
- Our data has consistently shown that adversaries’ tactics are influenced by the data they are interested in, as well as the assets that process and store the data—not the country in which the data resides.
- Apart from employees, many organizations collect PHI as part of doing business with their customers. The insurance industry is a prime example, and one where we have seen some very large data disclosures recently.
- The top three Actions related to PHI incidents are Physical, Error and Misuse.
- Recent studies have found that people are withholding information—sometimes critical information—from their healthcare providers because they are concerned that there could be a confidentiality breach of their records. This is not only a potential issue for the treatment of a specific patient; there are potential public health implications.
- Even when medical records are taken with malicious intent, it is frequently the associated PII that is targeted and used to commit various types of financial crime, including tax fraud and identity theft.
- This chart lists the “Nefarious Nine,” which are the nine incident patterns that account for 93 percent of the incidents related to PHI data breaches; three of the patterns describe 85% of the incidents.
The Diagnosis and Prognosis section at the end of the report includes both bad news and good news, including that organizations with PHI are detecting incidents faster than other industries and closing the detection deficit.
You can read the entire report on the Verizon website here.