HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Crime Leading HIPAA Breach Cause Says Ponemon Data Security Study

The threat to the healthcare industry from hackers is growing. Hacking and network server incidents are now the main cause of HIPAA data breaches, according to the OCRs “wall of shame”. Yesterday, the Ponemon Institute released data from a new Privacy and Security which confirms that criminals are now the major cause of HIPAA breaches.

The new study – the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data – shows that criminal activity is behind 45% of all healthcare data breaches, be that the theft of equipment or records with intent to use or sell the data, hacking incidents, malware, phishing and theft by malicious insiders.

The loss of laptop computers and other unencrypted devices, accidental disclosures and administration errors has traditionally been the major cause of data breaches over the past few years, including 2014. This is the first time that carelessness and negligence has not been the leading breach cause. This is unlikely to change in the near future, especially considering criminal activity has increased by 125% over the course of the last 5 years.

According to Rick Kan, co-founder of ID Experts which sponsored the study, “There is a real stimulus for criminal organizations that exist in Eastern Europe, Russia, China and Iran to go after and compromise these organizations to get access to that data.” Healthcare records are now being sold for between $50 and $60 – compared to 50 cents for credit card numbers. It is therefore no surprise that hacking attacks are on the increase.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

90% of Healthcare Organizations Have Suffered a Data Breach

Data breaches are now inevitable. Healthcare providers and other HIPAA-covered entities need to make sure they have a breach response plan in place as it will need to be put into action; and probably sooner rather than later. According to the Ponemon Report, 90% of healthcare organizations surveyed revealed that they have already had to put their breach notification policies into practice over the past two years.

Some organizations are clearly struggling with the current wave of attacks and are failing to plug all of the security vulnerabilities that exist in their organizations. 39% of respondents reported experiencing between two and five breaches over the past two years, while a staggering 40% of organizations had suffered more than 5 data breaches.

The report indicates that 78% of organizations had also suffered a security incident that did not result in PHI being compromised – such as a Denial of Service attack – while 82% said they had experienced web-borne malware attacks.

39% of the Business Associates surveyed said they had suffered an attack by a criminal attacker, while 10% reported breaches due to malicious insiders.



Larry Ponemon, Chairman and founder of the Ponemon Institute believes that the problem, in many cases, is a lack of resources dedicated to protecting healthcare data. Fifty-six percent of providers and 59 percent of BAs thought their resources were inadequate to the task. According to Larry, the situation may have improved lightly, but “we still have a long way to go.”

The limited resources are clearly a problem. 53% of organizations said that their personnel didn’t have the technical skill to identify a breach and 33% said they lacked the resources to prevent or quickly deal with a data breach.

Even with limited resources, there are processes than must be completed such as a security risk assessment. According to the study, the majority of healthcare organizations and Business Associates failed to perform a risk assessment for security incidents, despite the federal mandate to do so.

The Department of Health and Human Services’ Office for Civil Rights is taking a close interest in the breach response of HIPAA-covered entities. Organizations failing to conduct risk assessments run the risk of incurring a substantial fine for non-compliance in addition to covering the cost of dealing with a breach. The Ponemon report indicates that data breaches cost healthcare providers an average of $2.1 million, for incidents involving an average of 2,700 records.

While criminal activity has been shown to be the main cause of data breaches, healthcare providers are most worried about carelessness of employees. 70% said employee negligence was the greatest fear, with 40% believing cyber attacks posed the biggest threat. 33% believed public cloud services were the biggest worry.

The privacy and security survey was conducted on 90 healthcare organizations and 88 Business Associates, with the responses collected between February and March of this year.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.