Jigsaw Security Analytics posted an interesting report today.
Over the past few months we have been silently collecting data and comparing news articles to actual data that our OSINT-X platform has been monitoring.
[…]
We setup a quick test plan and implemented the plan in OSINT-X to basically read news articles, pull out any references to leaks of information, personal credential disclosures, breach notifications, etc and we started comparing this data to information being posted to Pastebin, other paste sites, Darknet and underground forums. The goal in this was to find out just how many times corporations actually disclose that they have been breached. To keep things fair we had manual review to ensure that the “breached” information was legitimate (meaning we checked to verify whenever possible before including the results in our statistics). What we found was quite interesting.
In this article, they reported on three sectors. I’m going to jump to their results in the healthcare sector:
By far the healthcare industry was the worst of the worst during this timeframe. From inadvertain (sic) prescriptions being sent to the wrong fax number to multiple instances of hackers stealing data, we really don’t even know where to begin.
During our analysis we noted a total of 305 individual incidents during the 90 day study period of which only 52 were publicly disclosed by the healthcare organization. It appears as though many times the victims are reluctant to disclose the issues out of fear of litigation or brand reputation.
Well, wait a second. Are you assuming that the entity even knows about the breach? If data are posted on a paste site, what makes you think the entity even knows about the problem? Did you contact them to inquire?
And if you didn’t contact them and they’re a U.S. entity covered under HIPAA, how do you know that the entity didn’t disclose the breach to HHS and send notification letters to individuals? Under HITECH, a covered entity has no obligation to issue a public statement/substitute notice unless certain conditions exist. So if you’re looking at small-n incidents and don’t see a public statement, it is not safe to assume that there has been no disclosure.
What was interesting is that of the ones the disclosed leaks only 4 of them have had any sort of legal issue as a result of the breach itself. 3 events were insider theft of health information for illicit use.
It seems the healthcare industry as a whole refrains from reporting whenever they can get away with it even though the actual cost of a breach seems to be leveling out and many organization are covered under cyber insurance policies.
Read more on Jigsaw Security Analytics. I want to find out more about their methodology and results.
I question their methodology. At my last employer we regularly saw claims of breached data, things like password lists, pasted to pastebin. When we examined them, as often as not, we found that the data had no correlation with the data inside the company. For example, many of the emails were not in our email service, and for those which were, no pasted password functioned to authenticate the customer.
We need to know more about what they mean by “we verified the information” to judge their work.
Agreed, which is why I said I wanted to know more about their methods.