Initial Findings from Verizon Protected Health Information Data Breach Report Suggest Securing Patient Data is an Expansive Undertaking

Verizon Enterprise Solutions unveiled select initial findings from its inaugural Protected Health Information (PHI) Data Breach Report at the Connected Health Summit in Washington, D.C. The 2015 report examines how PHI breaches happen, how long it takes to discover a breach, how PHI breaches affect the doctor-patient relationship, and how to mitigate the risks. For this report, PHI is defined as personally identifiable health information on an individual covered by one of the state, federal or international data breach disclosure laws. The initial swipe of the data indicates that a whopping 90 percent of industries have experienced a PHI data breach.

These include instances like breaches of health insurance information from personnel files or other breaches outside of traditional healthcare settings or industries. Of 20 sectors studied, only the utilities and management industries had no reported PHI breaches. Verizon’s Data Breach Investigations Report team examined incidents from 25 countries to produce this report including detailed analysis of confirmed breaches involving more than 392 million records and 1,931 incidents.

Verizon’s data breach research has consistently shown that hackers’ tactics are influenced by what data they are after, and where that data is stored and processed. The country where the data resides and the size of the company are not significant factors. One area of difference for PHI data breaches versus all kinds of data breaches is the profile of the attacker. The number of external and internal actors is nearly equal with just 5 percentage points difference, meaning there is a lot of insider misuse of PHI. “Protected Health Information is like gold for today’s cybercriminal,” said Suzanne Widup, lead author for the Verizon Enterprise Solutions report. “What makes our findings even more troubling is that many sectors – especially those outside of the healthcare industry – aren’t even aware that they hold this type of data.

The ramifications of stolen medical information can have significant consequences for the safety and well-being of the patient.” According to the report’s findings, while medical record data is often taken with malicious intent, it is frequently the personable identifiable information (PII) that attackers are really after. “This data can be extremely damaging in the hands of those wanting to commit various types of financial fraud,” added Widup. Slated to be released in its entirety in December, the report is aimed at helping organizations across all sectors understand the importance of identifying and protecting this information before a data breach occurs.

Verizon 2015 Protected Health Information Data Breach Report

As part of Verizon’s Data Breach Investigations Report (DBIR) series, the PHI Report is based on actual casework and is the most comprehensive report of its kind in the industry. This report analyzes protected health information data breaches with a focus on the healthcare industry including ambulatory healthcare services, hospitals, nursing and residential care; and social assistance across North America, Europe and the Asia-Pacific region. The report contains incidents contributed by the following organizations: ACE Group; the CERT Insider Threat Center; CrowdStrike, Deloitte; the Dutch National High Tech Crime Unit, G-C Partners, LLP; Kaspersky Lab; Mishcon de Reya; NetDiligence; and the U.S. Secret Service. The study also includes the U.S. Health and Human Services incident database (for incidents affecting at least 500 individuals) and a significant number of incidents from the U.S. Veteran’s Administration as reported to Congress (from the VERIS Community Database project).

For early access to the report, sign up to be a Verizon Enterprise Solutions Insider: Visit the Verizon Enterprise Solutions’ Products and Services Center to learn how to improve your business with the latest technologies and network solutions.