HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe.

The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources.

The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below:

  • C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
  • Cyber-espionage related data breaches increased from 13% of breaches in 2017 to 25% in 2018
  • Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018
  • Financially motivated breaches fell from 76% to 71%
  • Phishing is involved in 32% of breaches and 78% of cyber-espionage incidents
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved insiders
  • 43% of cyberattacks were on small businesses
  • Ransomware is the second biggest malware threat and accounted for 24% of malware-related breaches
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

C-Suite Executives Beware!

C-suite executives are being extensively targeted by cybercriminals and for good reason. They are likely to have high-level privileges, so their accounts and credentials are more valuable. Compromised email accounts can be used for social engineering, phishing, and BEC attacks on other members of the organization and vendors.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Attacks on the C-suite are 12 times more likely than on other employees and C-suite executives are 9 times more likely to be the target of social incidents. These figures show just how important it is for C-suite executives to receive regular security awareness training.

These attacks are part of a trend of cybercriminals choosing the path of least resistance. Why invest time and money into hacking a company when an email can be sent to the CEO or CFO requesting a fraudulent transfer. Hacking a C-suite email account and using it to send wire transfer requests is simple, effective, and highly profitable.

Figures from the FBI, a new DBIR partner in 2019, show the median losses due to BEC attacks is a few thousand dollars. However, there are an equal number of attacks with losses from zero to the median as there are from the median to $100 million dollars. 12% of all breaches were the result of business email compromise attacks

Cyberattacks on the Healthcare Industry

The 2019 DBIR included 466 healthcare cybersecurity incidents, 304 of which involved confirmed data disclosures.

Out of all industry sectors analyzed, healthcare was the only industry where the number of incidents caused by insiders was greater than those caused by external threat actors. 59% of incidents involved insiders compared to 42% involving external threat actors. Breaches of medical information are 14 times more likely to be caused by doctors and nurses.

The primary motive for attacks on the healthcare industry was financial gain (83%), followed by fun (6%), convenience (3%), because a grudge was held (3%), and espionage (2%). 72% of breaches involved medical data, 34% involved personal information, and 25% involved credential theft.

81% of all healthcare cybersecurity incidents involved either miscellaneous errors such as software misconfiguration, privilege misuse, and web applications.

Across all industries, ransomware is involved in 24% of malware-related attacks but 70% of those attacks were reported by healthcare organizations. It should be noted that, in most cases, ransomware attacks are reportable breaches under HIPAA. The overall number of attacks in other industry sectors may well be much higher, as many attacked companies choose not to report the incidents and just quietly pay the ransom.

Patterns Identified in Healthcare Data Breaches

Pattern Number of Data Breaches
Miscellaneous Errors 97
Privilege Misuse 85
Web Applications 65
Lost and Stolen Assets 28
Everything Else 27
Cyber-Espionage 2
Point of Sale 2
Crimeware 1
Denial of Service 0

Causes of Healthcare Data Breaches

Actions Involved   Incidents Data Breaches
Error 124 110
Misuse 110 85
Hacking 100 78
Social 91 78
Malware 85 7
Physical Theft 47 17

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.