Verizon 2024 DBIR: 70% of Healthcare Data Breaches Caused by Insiders
On May 1, 2024, the 2024 Verizon Data Breach Investigations Report (DBIR) was released, which this year involved an analysis of a record number of security incidents (30,458), and more than double the number of confirmed data breaches as last year (10,626). The report includes 1,378 security incidents at healthcare organizations and 1,220 confirmed healthcare data breaches.
Credential theft was the most common method of breaching networks and was the initial access vector in 38% of all data breaches, followed by phishing (15%). Vulnerability exploitation was the third most common initial access vector and the root cause of 14% of breaches, but what is particularly concerning is the increase in exploit-related data breaches, which are up 180% year over year. Also concerning is the time it takes organizations to patch disclosed vulnerabilities. On average, it took 55 days for organizations to patch 50% of their critical vulnerabilities, which gives threat actors a significant window for exploiting vulnerabilities.
Top causes of non-erro, non-misuse data breaches. Source Verizon 2024 DBIR
Ransomware groups were behind many of the attacks targeting unpatched vulnerabilities, with the Clop ransomware group’s mass exploitation of a zero day vulnerability in Progress Software’s MoveIT Transfer solution a significant factor in the large increase in exploit-related breaches. Clop also mass exploited a zero-day vulnerability in GoAnywhere MFT in January and a SysAid zero-day flaw in November.
While ransomware groups were a major threat in 2023 and were behind some of 2023’s largest data breaches, there was a slight decline in attacks year-over-year. Law enforcement actions against ransomware groups, non-payment of affiliates, and falling numbers of victims paying ransoms have resulted in some ransomware affiliates reconsidering their options; however, Verizon’s figures suggest that threat actors are simply switching to extortion-only attacks, where sensitive data is stolen without file encryption.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In response to the threat of ransomware attacks, organizations have improved their backup processes and disaster recovery plans, and an increasing number of victims do not need to pay to recover their files; however, the threat of the sale or publication of stolen data is often enough to get victims to pay. The attack on Change Healthcare shows that there is no guarantee that data will be deleted if the ransom is paid. In 2023, 23% of data breaches were due to ransomware attacks, and around one in three data breaches (32%) involved extortion, with two-thirds of financial-motivated attacks involving either ransomware or extortion. 15% of data breaches involved third parties such as software supply chains, hosting providers, and data custodians, up 68% year-over-year.
Over the past few years, Verizon has highlighted the extent to which the human element is involved in data breaches, such as accidental misconfigurations, falling for social engineering scams, and phishing attacks. In 2021, the human element was a factor in 85% of data breaches, falling to 82% in 2022. In the 2024 DBIR, Verizon changed how these incidents are recorded, eliminating actions by malicious insiders. Non-malicious human error was involved in 68% of data breaches, however, if malicious insiders were included in the figures, the percentage of incidents involving the human factor would have been at around the same level.
In healthcare, the biggest cause of data breaches was miscellaneous errors, followed by privilege misuse, and system intrusions, with those three causes behind 83% of data breaches. In contrast to other sectors, 70% of the threat actors behind data breaches were internal, reversing a trend of declining breaches by malicious insiders in recent years.
Patterns in healthcare data breaches. Source: 2024 Verizon DBIR
98% of all healthcare attacks are financially motivated and personal data was compromised in 75% of incidents. Verizon said threat actors are increasingly targeting personal information over medical data. Verizon points out that privilege misuse by malicious insiders was not even a top three breach cause in 2022 but rose to 2nd place in 2023. The most common error resulting in a data breach was misdelivery of paper records or misdirected emails, followed by loss of data, with the third most common being gaffes – disclosures of patient information when others were in earshot.
