HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Human Error Main Cause of Data Breaches Says Baker Hostetler Report

The Ponemon institute released a study this week indicating that criminal activity was the main cause of HIPAA breaches, with OCR breach report data suggesting the same; however according to a data security report produced by law firm BakerHostetler, human error is most often to blame.

The legal firm analyzed data from more than 200 incidents that the firm advised on in 2014, with the clients coming from education, retail, insurance, technology, entertainment, hospitality, the financial services and the healthcare industry, with the latter accounting for the majority of data breaches dealt with by the firm.

Over a third (36%) of the firm’s clients that had experienced a data security incident during 2014 attributed it to employee negligence. Data theft by outsiders caused 22% of security incidents with theft by insiders joint third with malware, both being implicated in 16% of incidents. Phishing attacks caused 14% of data breaches.

Healthcare Industry Hardest Hit

The high proportion of healthcare data breaches included in the report is partially due to the requirement to report data breaches under HIPAA Rules. The firm suggests that many incidents go unreported in less well regulated industries. While the healthcare industry suffered the highest frequency of data breaches of any industry, the breaches were typically not as severe. Breaches affecting companies in the professional services sector were often the most severe according to the report. “Incidents affecting these sectors often require forensic investigation and draw more media coverage, the cost and potential financial consequences are dramatically higher on a per-incident basis.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The firm determined the root cause of security breaches when compiling its report. While the theft of a laptop computer containing unencrypted data is clearly a criminal act, the laptop should not have had PHI data stored and also should not have been left in an area where it could have been stolen. Incidents such as these are classed as being caused by human error.

Even with the best technology, human error will lead to data breaches. The report says”Companies must match security solutions that provide defense-in-depth with detection capabilities as well as employee training and awareness driven by the right “tone from the top” and appropriate information security policies and procedures.”

Rapid Detection of Security Breaches is Critical

Installing the necessary safeguards to protect confidential data is vital; however it is also essential that policies are developed – and procedures put into place – to check for security breaches on a regular basis.

When asked, forensic analysis companies often say that in the majority of cases they investigate incidents which have not been detected by the company in question. The data from this study suggests that the reverse is true, as 64% of the company’s clients had reported discovering their data breach.

The report points out why fast discovery is essential:

  1. To avoid a missed opportunity to prevent data from being stolen
  2. Forensic data may be lost relating to the incident, this information could help lead to the identification of suspects or to determine exactly what data was compromised
  3. The incident may be reported to the media before the company has issued a statement
  4. Being caught by surprise invariably involves an organization being placed under pressure and even closer scrutiny.

Proactive steps are listed in the report to help organizations prepare for a data breach including the correct breach response when one does occur.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.