Healthcare Breaches Hit All-Time High in 2016

More than 300 healthcare businesses reported data breaches in 2016, but a drop in leaked records put fewer Americans at risk.

A record-breaking 328 healthcare businesses reported data breaches in 2016, surpassing the record of 268 set one year prior. Healthcare records of about 16.6 million Americans were exposed due to hacks, lost or stolen devices, unauthorized disclosure, and other activity.

It's not all bad news, however. Sixteen million is significantly less than the nearly 35 million leaked records in 2015, which excludes the Anthem breach that compromised the information of nearly 80 million people.

These updates come from the Bitglass 2017 Healthcare Breach Report, which aggregates data from the US Department of Health and Human Services' Wall of Shame -- a collection of breach disclosures mandated under HIPAA -- to identify common causes of data exposure.

Bitglass product manager Salim Hafid says the study was done to analyze the causes of breaches and effects they have on businesses and customers. The factors behind data leakage have changed since 2014, when lost or stolen devices were primary drivers of data exposure.

"In the past few years, unauthorized disclosures, and hacking and IT incidents, have taken hold," Hafid says. "Folks are becoming more aware of the value of healthcare data."

Unauthorized disclosures are typically unintentional, he continues, but increasingly common as applications like Google Drive and Dropbox make it easier for employees to send large amounts of sensitive information to the wrong people.

"The rise in unauthorized disclosure isn't because people are more malicious, but because it's easier to share large volumes of data," says Hafid. "The ease with which you can share is both a positive and a negative."

However, bad actors are also part of the problem.

Hacking has become a bigger problem as a rise in publicized breaches is leading attackers to realize healthcare targets aren't as security-savvy as they once believed, especially when many are adopting mobile and cloud systems to accommodate their employees and patients.

"Businesses are incredibly vulnerable, and they don't have the appropriate security tools in place," Hafid continues. "The ability to access data from a personal device outside the corporate network is becoming more common, and organizations don't have the security to protect that kind of access."

While the industry has consistently seen more breaches year after year, Hafid says the decline in exposed records and affected individuals is a sign businesses are heading in the right direction.

A combination of proactive and reactive measures is essential to mitigate the effects of cyberattacks. Proactive measures, like restricting access to sensitive files and putting firewalls in place, are the primary means of limiting data leakage in the event of a breach.

"I think this is a positive sign and shows organizations are taking big steps," says Hafid of the rise in proactive security. "Even if they can't prevent a hack, they can lessen the effects of the hack."

While it's still early to tell how the rest of 2017 will unfold, he wouldn't be surprised to see the number of breaches continue to grow as attackers aim to capitalize on valuable healthcare data. The number of affected individuals will likely continue to drop as businesses put more security measures in place.

Hafid recommends three steps for businesses working to protect themselves:

Identity management: Ensure users are who they say they are. Authentication can prevent breaches caused by compromised credentials.

Ensure users are who they say they are. Authentication can prevent breaches caused by compromised credentials.

Mobile security: Many businesses let their guards down when it comes to mobile security, says Hafid. It's key to stay vigilant in terms of mobile security and protecting devices within the organization.

Many businesses let their guards down when it comes to mobile security, says Hafid. It's key to stay vigilant in terms of mobile security and protecting devices within the organization.

Encryption and data protection: Take steps to ensure files with sensitive data are encrypted. If data is leaked but protected, businesses still have visibility into who is accessing that data.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading: