Healthcare data breaches skyrocket, but is there good news coming?

Bitglass’ Healthcare Breach Report provides a sobering view of the state of healthcare data security

In 2016, 328 individual healthcare breaches occurred, surpassing the previous record of 268 in 2015, according to Bitglass’ recent Healthcare Breach Report. As a direct result of the breaches, records of approximately 16.6 million Americans were exposed due to hacks, lost or stolen devices, unauthorized disclosure and more.

The good news, however, is that the overall number of compromised records has declined for the second year in a row, and early indications suggest that those numbers will continue to decline in 2017.

+ Also on Network World: Healthcare records for sale on Dark Web +

The report aggregates data from the U.S. Department of Health and Human Services’ Wall of Shame—a database of breach disclosures required as part of the Health Insurance Portability and Accountability Act (HIPAA)—to identify the most common causes of data leakage.

Bitglass, a data protection vendor, explored the changes in breach frequency, as well as the preventative steps organizations have taken to limit the impact of each breach in 2016 and in the first quarter of 2017. Other than the grim headline breach number, the key Bitglass report findings include the following:

  • The total number of citizens impacted by breaches is down significantly from 2015—even when excluding the massive Anthem medical data breach.
  • Unauthorized disclosures are now the leading cause of breaches, accounting for nearly 40 percent of breaches in 2016.
  • Hacking and IT incidents continue to pose the greatest risk—the volume of records that leak because of hacking is greater than all other breach events combined.
  • All five of the largest breaches were the result of hacking and IT incidents in 2016. To put that in perspective, 80 percent of leaked records in 2016 were the result of hacking. So far in 2017, the largest breach was the result of theft and the four next largest breaches were due to hacking

“Breaches and information leaks are unavoidable in every industry, but healthcare remains one of the biggest targets,” said Nat Kausik, CEO of Bitglass. “While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach event.”

Breach costs hit record high 

According to data from the Ponemon Institute, the average breach costs U.S. companies $221 per lost record, which is up from $217 per record in 2015. The cost per leaked record for healthcare firms topped $402 in 2016, which is a massive cost given the number of records lost because of hacking-related breaches. Given the significant value of healthcare data—Social Security numbers, treatment records, credit information and more sensitive personal information—the cost of a breach to a hospital or health system can be devastating.

Why healthcare data? 

When credit card breaches occur, issuers can simply terminate all transactions. Plus, individuals benefit from laws that limit liability. However, victims have little recourse when subjected to identity theft via protected health information (PHI) leaks, and many are not promptly informed that their data has been compromised. While criminals often leverage healthcare data for the purposes of identity theft, they can also leverage it to access medical care in the victim’s name or to conduct corporate extortion.

Under HIPAA, organizations dealing with PHI must implement several technical safeguards. Details on how Cloud Access Security Brokers can protect against breaches, and the key capabilities necessary to protect data in the cloud and achieve compliance, can be found in the full Bitglass 2017 Healthcare Breach Report.


The report is sobering reading. While there are some positive developments in there, overall there are still some concerning statistics. The healthcare industry as a whole needs to do better.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022