DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Survey – More patient data breaches, less security, and more headaches for patients

Posted on December 1, 2011 by Dissent

Ponemon has released a new survey on data breaches in the healthcare sector.  The Second Annual Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts, is available on their web site, but I want to pull out a few points from the results that I think are worth noting:

The number of reported breaches was up 32% in 2011 compared to 2010. Significantly, 46% of the entities reported experiencing 5 or more data breaches in the past two years – up from 29% of the sample in the first benchmark survey. Are breaches actually increasing, though, or is there just better detection? For this time period, over half of breaches were detected by employees, an improvement over last year.

The average number of lost or stolen records per breach was 2,575. This, too, is an increase over last year, when the average number of records compromised per breach was 1,769. Given the small sample size (72 organizations participated in the survey) and that there were no “monster” (>100,000 records) breaches reported last year but one reported this year, the increased records per breach statistic may be somewhat skewed. That said, we have certainly seen some huge patient data breaches recently – the Sutter Health breach affecting 4.2 million and the SAIC/TRICARE breach affecting 5.1 million. Although neither incident is likely to be among those included in the survey, I would expect to see a significantly higher records per breach statistic for 2011.

Widespread use of mobile devices continues to put patient data at risk. Not surprisingly, 81% of healthcare organizations report that they use mobile devices to collect, store, and/or transmit some form of protected health information (PHI). Worryingly, 49% of participants report their organizations do nothing to protect these devices. Thus, despite all of the media coverage, many organizations continue to engage in what I would best characterize as negligent security practices. HITECH and new regulations do not appear to have significantly improved security and many entities do not appear to be particularly concerned about HHS/OCR imposing any fines. Perhaps when OCR starts auditing in 2012 or starts handing out more fines, organizations will invest more in security. One of the most significant findings of the second benchmark study was that organizations feel that they do not have the budget or resources allocated to properly secure patient data and many organizations still do not make security of patient data a priority.

The top three causes for data breaches continue to be lost or stolen devices (49%, up from last year), third-party “snafu,” a term that can cover a lot of sins (46%, up from last year), and unintentional employee action (41%, down from last year). Reports of criminal attacks increased from 20% last year to 30%. If third-party “snafus” showed the biggest increase from the last survey, one might expect to see organizations tightening up their contracts with business associates to incorporate more security and privacy protections. That does not appear to be the case, however, with fewer respondents feeling confident that their organization had adequate contracts in place.

The average economic impact of a data breach was $2.2 million, up 10% from last year. Respondents continue to express concern or belief that they are risk of losing patients as a consequence of a breach, but again, there are no objective data to support their concern. It’s time to stop asking people what they believe and find out what really happens. When a hospital is the only game in town, I doubt they are going to lose patients over a breach. Indeed, I doubt that there’s much churn at all in the healthcare sector due to breaches. Show me the data.

Over 70% of respondents recognized that patients may be at increased risk of harm from a data breach (medical identity theft, financial identity theft, or other problems from private information becoming public) and 74% reported that following a data breach, the patients either suffered identity theft (financial or medical) or they weren’t sure if the patients had suffered identity theft. Why, then, do the majority (65%) not offer protection services for the affected patients following a data breach? Offering credit monitoring if no Social Security Numbers or financial data are compromised makes no sense to me, but organizations have an affirmative obligation to mitigate harm. Are they living up to that obligation?

While the survey highlights some improvements (such as more detection of breaches by employees), its overall message is that organizations continue to put patient at risk by not deploying security technologies, by not ensuring business associates adequately protect data, and by recklessly allowing data to leave the premises on mobile devices that are lost or stolen. And when patients are harmed by breaches or face increased risk of harm, entities are likely to offer no meaningful help.

All in all, a fairly depressing report.

Category: Health Data

Post navigation

← big dump of accounts from macromatic.com and relayspec.com
Supreme Court Looks On HIV-Positive Pilot's Emotional Distress Mostly Unmoved →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.