Record Breaking Healthcare Data Breaches in 2015 May be Eclipsed in 2016

2014 was widely considered to be “The Year of the Data Breach.” Then came 2015. The year of the mega healthcare data breach. Now the year is coming to an end, it is time to look to the next 12 months and what could possibly be in store. If the upward trend continues, 2016 could really be an annus horribilis.

According to a recent white paper issued by Experian, the next twelve months are likely to see more of the same. We can expect the large-scale healthcare data breaches to continue as the industry is targeted by cybercriminals seeking the highly valuable data stored by HIPAA-covered entities.

The high value of healthcare data combined with relatively weak defenses and the continued digitization of medical records will see even more attacks launched by cybercriminals on healthcare organizations, according to the Experian Data Breach Resolution White Paper.

Large Healthcare Data Breaches Will Occur, But Small Breaches Are Likely to Cause the Most Damage

This year has seen some mega data breaches suffered by health insurers, and those organizations will continue to be targeted in 2016 according to Experian. Healthcare providers will also not be in for an easy year.

This year, cyberattacks on Anthem Inc., Premera BlueCross, and Excellus BCBS, exposed 78.8 million, 11 million, and 10 million records respectively. While highly serious, these mega data breaches were relatively few and far between. The biggest problems, certainly in terms of the number of data breaches suffered, are human error and negligence. Both lead to numerous data breaches. Those breaches tend to be much smaller, but tend to cause the most damage, according to the white paper.

Human error and negligence are behind the vast majority of data breaches suffered by healthcare organizations. Loss and theft of devices, accidental disclosure of health data, theft of data by employees, errors made when mailing or printing PHI, web servers left unprotected, and software configuration errors, are happening all too frequently. Barely a day passes without a new healthcare breach being suffered.

As pointed out in the white paper, healthcare providers must ensure cybersecurity protections are reinforced with the latest up-to-date security technologies to prevent hackers from gaining access to patient data, but the threat from within must also be addressed. “Training employees on proper data handling practices on a regular basis,” can help to prevent many of these data breaches from occurring.

One in Three Patients Predicted to Have their Medical Records Exposed in 2016

A new report issued by IDC’s Health Insights Group suggests that 2016 will see even more patient records exposed as a result of cybersecurity attacks, employee data theft, and negligence, to the point that one in three patients will have their private and confidential medical records exposed in a data breach in 2016.

IDC’s researchers suggest that the reason for the increase in data breaches is due to more medical records being stored online, and a lack of adequate security controls being put in place to protect patient data. The report claims that the healthcare industry’s lackluster electronic security controls are notorious, and lag behind other industries such as the financial services.

35.4% of Americans Have Had Their Medical Records Exposed So Far in 2015

These predictions may not be far off the mark. According to the healthcare data breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights, 112,914,336 healthcare records have been exposed so far in 2015. Under HIPAA Rules, healthcare organizations have up to two months to report data breaches to the Office for Civil Rights. The final total for the year, which will be known on March 1, 2016, is likely to be substantially higher.

As it stands, 35.4% of Americans have had their medical records exposed so far in 2015. 2016 could be just as bad, if not worse.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.