Healthcare Industry Tops 2015 Data Breach List

The number of healthcare data breaches reported so far this year has been staggering, so it should come as no surprise to hear that the healthcare sector has suffered more data breaches than any other industry sector during the first six months of the year.

According to a new data breach report compiled by data security firm, Gemalto, the healthcare industry’s 187 data breaches add up to 21.1% of all global data breaches reported in first half of the year. The report also suggests 34% of all healthcare records kept on U.S patients were exposed between January 1, and June 30 this year.

The report provides data breach figures of 84 million compromised healthcare records, the majority of which came from the colossal cyberattack of Anthem, which resulted in 78.8 million records being exposed: 32% of the total number of global records exposed in data breaches, across all industries.

Overall, 888 data breaches were reported during the first 6 months of 2015, resulting in 245.9 million records being exposed around the globe. The figures have remained pretty constant year on year according to the report. In the first six months of 2014, 803 data breaches were reported, while the final half of the year saw 892 global data breaches discovered.

The healthcare industry is being targeted by malicious insiders and outsiders, and major breaches have already been reported by CareFirst, Medical Informatics Engineering and Premera Blue Cross (which was not included in the report); however, the total number of records breached in the first six months of 2015 was actually 40% lower than the total reported during the first period of 2014, when 414.8 million records were exposed globally.

The report lists 11 of the biggest data breaches reported globally, assigning each a score based on the severity of the attack; 10 being catastrophic, down to 1, which represented minimal risk. Anthem Insurance Companies top the list with a score of 10, while the Medical Informatics Engineering data breach, which involved 3.9 million compromised records, was positioned at number 8, and was assigned a score of 8.8.

Malicious Outsiders Main Cause of Global Data Breaches


Employee (and employer) negligence may now be the leading cause of data breaches in the healthcare industry, but taking all global data breaches together, it is malicious outsiders that have been responsible for the majority of data breaches in 2015– 546 out of the 888 breaches reported during the period under study – representing 61.5% of the total number of data breaches across all industries. Gemalto points out that this figure has risen from just 52% in 2013, clearly showing the problem is getting worse.

The second biggest data breach cause is accidental loss, which resulted in 197 data breaches, or 22.2% of the total. Malicious insiders caused 107 data breaches (12%), hactivists 19 (2.5%) and state sponsored attacks 17 (2.2%). Malicious outsiders were also responsible for compromising the most records, creating more than half of the global total of data breach victims – 114.5 million individuals, or 46.6% of all data breach victims from the first half of the year. State-sponsored attacks came in second place, compromising 101.5 million records (41.3%).

Identity Theft Leading Type of Global Data Breach


During the period under study, identity theft was listed as the main type of data breach, accounting for 472 data breaches (53.2%). Identity theft was cited in the three largest data breaches of the year, and was involved in 5 out of the top 10 data breaches of 2015. Those data breaches corresponded to 74.9% of compromised data records. Financial access to data came in second place, which was cited in 197 incidents or 22.2% of the total number of data breaches, although those incidents only involved 1% of the total number of records compromised during the period.

The Healthcare Sector Was the Worst Hit Industry


The healthcare industry has been hit hard over recent years, and the first half of 2015 was no different; however in spite of the massive Anthem breach, the healthcare sector’s share of data breaches has actually fallen compared to the first half of 2014, in terms of both the number of data breaches reported as well as industry share. The financial services sector was in second place, closely followed by government data breaches, then the retail industry, education and technology sector.

The healthcare sector may have previously reported high numbers of data breaches, but the volume of records exposed in those data breaches was relatively low. The report uses figures for the last half of 2014 as a comparison, when healthcare sector data breaches accounted for just 5.2% of stolen records, compared to 34% for the first half of 2015. The healthcare sector now takes top spot, whereas last year it was the retail sector followed by the financial services industry that topped the list.

A Change of Mindset is Required


Gemalto’s analysis of global data breaches shows that the threat of cyberattacks is growing, in spite of huge investment in cybersecurity protections. The data security firm says “Security is consuming a larger share of total IT spending, but security effectiveness against the data-breach epidemic is not improving at all.” The report goes on to say, “Enterprises are not investing in security based on reality as it is; they’re investing in security based on reality as it was: a bygone era where hackers were glory-seeking vandals, sensitive data was centralized, and the edge of the enterprise was a desktop PC in a known location.”

Gemalto says that while network perimeter security technologies are a wise data security measure, organizations are placing too much reliance on the effectiveness of this safeguard, yet the reality is that data breaches simply cannot be prevented 100% of the time. Gemalto calls for a change to the mindset of IT security professionals: “In today’s environment, the core of any security strategy needs to shift from breach prevention to breach acceptance.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.