Criminal Attacks Are Now Leading Cause of Data Breach in Healthcare, According to New Ponemon Study

May 7, 2015 at 12:31 pm

Study Reveals Five-Year Data Breach and Security Trends of Growing $6 Billion Epidemic That Puts Millions of Patients and Their Information at Risk

TRAVERSE CITY, Mich. and PORTLAND, Ore. — The healthcare industry is experiencing a surge in data breaches, security incidents, and criminal attacks—exposing millions of patients and their medical records—according to the latest Ponemon Institute study, sponsored by ID Experts®, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. The study reveals that criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breach. The findings also show that most healthcare organizations are still unprepared to address this rapidly changing cyber threat environment and lack the resources and processes to protect patient data. According to the FBI, criminals are targeting the information-rich healthcare sector because individuals’ personal information, credit information, and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold. To learn more about the Fifth Annual Study on Privacy & Security of Healthcare Data, visit for a free copy.

Five-Year Trends Indicate Shift in Data Breach Causes
“We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number-one cause,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Since first conducting this study, healthcare providers are starting to make investments to protect patient information, which need to keep pace with the growing cyber threats.”

A criminal attack is the deliberate attempt to gain unauthorized access to sensitive information, usually to a computer system or network, resulting in compromised data. Criminal attacks are often referred to as cyber-attacks, but can also include malicious insiders and/or paper medical files. Medical records are greatly susceptible to threats and fraudulent activity because of the value of their information and because they are accessible at many points. The study indicates that medical files, as well as billing and insurance records, are the top stolen targets.

Size Doesn’t Matter: No One is Immune from Data Breach
Since sensitive patient data can be easily transmitted and exposed, no organization is immune from data breach. Those especially vulnerable are healthcare organizations including hospitals, clinics, private or public healthcare providers—also referred to as “covered entities;” (CEs) and their “business associates,” (BAs), including patient billing, health plans, claims processing, and cloud services. A business associate is a person or entity that performs services for a covered entity that involves the use or disclosure of PHI, according to the U.S. Department of Health & Human Services. Small- to middle-market organizations are at greater risk for data breach, as they have limited security and privacy processes, personnel, technology, and budgets compared to their enterprise or large corporate counterparts.

Reported Data Breaches Are Only the Tip of the Iceberg
As part of everyday business, there are exponentially more security incidents than data breaches. Under federal law, all security incidents need to be assessed to determine if they are data breaches that require reporting. The study’s findings indicate that organizations are not thoroughly assessing their security incidents. In fact, one-third of the respondents do not have an incident response process in place.

“A breach is a breach, no matter how small. Whether 5,000,000, 5,000, or 50 individuals are affected, the impact to each and every person is a big deal,” said Rick Kam, CIPP/US president and co-founder of ID Experts. “How many more individuals could be at risk due to unreported data breaches?”

Key Findings of the Research
·      Data breaches in healthcare are rising.
All healthcare organizations, regardless of size, are at risk for data breach. Ninety-one percent of healthcare organizations had one data breach; 39 percent experienced two to five data breaches; 40 percent had more than five data breaches over the past two years. In comparison, 59 percent of business associates experienced data breaches; 14 percent experienced two to five data breaches; 15 percent experienced more than five data breaches over the same period. Half of all healthcare organizations, both CEs and BAs, have little or no confidence that they have the ability to detect all patient data loss or theft. Data breaches are costing the healthcare industry $6 billion annually; the average economic impact of data breaches per organization is $2,134,800.

·       Criminal attacks are the new leading cause of data breach in healthcare.
Criminal attacks in healthcare are up 125 percent compared to five years ago. Now, in fact, nearly 45 percent of data breaches in healthcare are a result of criminal activity. The percentage of criminal-based security incidents is even higher; for instance, 78 percent of healthcare organizations and 82 percent of BAs had web-borne malware attacks. Yet, only 40 percent of healthcare organizations are concerned about cyber attacks.

·       Security incidents part of everyday business.
Sixty-five percent of healthcare organizations and 87 percent of BAs experienced electronic information-based security incidents over the past two years, and approximately half of all respondents suffered paper-based security incidents. However, organizations lack the financial and personnel resources to protect patient information. More than half of healthcare organizations and half of BAs don’t believe their incident response process has adequate funding and resources. In fact, one third of respondents don’t even have an incident response process in place. Healthcare organizations remain unsure if they have sufficient technologies and resources to prevent or detect unauthorized patient data access, loss or theft. In addition, the majority of them fail to perform a risk assessment for security incidents, despite the federal mandate to do so.
·      The threat of medical identity theft to breached individuals is growing; however, harms are not being addressed.                                                                                                                        According to the Ponemon/Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Yet, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data further reinforces that the harms to individuals affected by a breach are not being addressed. Nearly two-thirds of both types of respondents do not offer any protection services for patients whose information has been breached.

Research Findings Further Discussed Via Prerecorded Webcast and Webinar
Listen to a prerecorded press webcast,, with Dr. Larry Ponemon and Rick Kam to hear highlights of the study. Additionally, they will outline the study in detail via a free webinar, Healthcare Data is Under Attack, to be held on May 28, 2015, at 10:00 a.m. PT/1:00 p.m. ET. Click here to register.

About the Study
The Fifth Annual Study on Privacy & Security of Healthcare Data utilized in-depth, field-based research involving interviews with senior-level personnel at healthcare providers and business associates to collect information on the actual data loss and data theft experiences at their organizations. The 2015 study was expanded beyond healthcare providers to include business associates. This benchmark research, in contrast to a traditional survey-based approach, enables researchers to collect both the qualitative and quantitative data necessary to understand the current status of privacy and security of healthcare data of those who participated in the study.

About Ponemon Institute
Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About ID Experts
ID Experts® provides software and services to simplify the complexities of managing privacy and security incident response. Its award-winning RADAR® software is relied on by some of the largest healthcare, insurance, and financial services organizations to reduce risks and ensure compliance. MIDAS™—the Medical Identity Alert System—is a monitoring and protection solution provided by health plans to reduce insurance fraud and help consumers avoid medical identity theft in the event of a data breach. For more than a decade, ID Experts has provided data breach services and managed thousands of incidents. ID Experts is an advocate for privacy and participates with the Consumer Federation of America, the PHI Protection Network and Patient Privacy Rights. Visit
Media Contacts:
Kelly Stremel or Lisa MacKenzie
MacKenzie Marketing Group

Note to Media:
To schedule an interview with Rick Kam or Dr. Larry Ponemon, please contact