HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

The Age of the Healthcare Data Breach: 40% of Americans Now Victims

According to a new study conducted by iSherriff, almost 45% of Americans have now had their personal information exposed in a healthcare cyberattack; and in some cases, more than once. It is clear that we are now well and truly in the ‘Age of the Data Breach’, and the situation is likely to get worse.

This year has already seen the largest ever HIPAA data breach: The 78.8-million record heist at Anthem Inc., and also the second largest healthcare data breach reported: The 11 million record cyberattack at Premera Blue Cross., and recently, a further 4.5 million records were exposed in the UCLA Health cyberattack.

More than 100 million new healthcare data breach victims have been created so far this year, representing almost a third of the population of the United States. The total number of records exposed in the last 5 years is now 143 million. We are therefore just over 16 million records short of half the population of the United States. With the volume of breaches now occurring, it is possible that unwanted milestone may even be reached this year.

According to iSherriff CEO, Paul Lipman, “When more than forty percent of the U.S. population has been a victim of a data security breach, we must recognize this as an epidemic that can and will hit any healthcare provider,” he went on to say that “These breaches not only cost time and money, they risk compromised medical records that could impact health diagnoses and outcomes. Cybercrime is the new healthcare crisis.”

Please see the HIPAA Journal Privacy Policy

As seen this year, no company is immune to a cyberattack. Lipman, points out that “If Anthem – with annual revenues of over $60 billion – can be breached, the sobering reality is any healthcare organization collecting and storing patient data is vulnerable. The targets span the smallest physician practices, clinics, and labs to regional hospitals, HMOs and PPOS, and the largest national providers.”

Retailers, Insurers, financial institutions and healthcare providers have struggled to implement policies, strategies and technical controls to safeguard the data of consumers. Hackers are using ever more sophisticated methods to break through security defenses, and the increasing reliance on technology is giving cybercriminals even more opportunities to access and steal confidential data. Medical devices such as drug pumps are networked and can be hacked, and virtually every day a new software security flaw is discovered that could allow hackers an entry point into a protected network.

Criminals are targeting healthcare providers and insurers due to the value of the data they hold. Credit card numbers can be sold for a couple of dollars, but healthcare data and Social Security numbers are much more valuable.

Credit cards are rapidly cancelled, whereas healthcare data can be used for longer before fraud is discovered. By the time victims become aware that they have been defrauded, their data may have been used to file false tax returns, obtain medical services and drugs, file false insurance claims, and obtain thousands of dollars of credit.

According to the iSherrif report – The New Healthcare Crisis: Cybercrime, Data Breaches and the Risks to Patient Records, the rise in healthcare data breaches can be attributed to a number of factors: The ever changing threat landscape; gaps in security posture caused by point products, a more mobile workforce – using mobile devices – and significant resource constraints. Unless these issues are addressed, the situation is only going to get worse.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.