DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Companies fail to report breaches more often than realized

Posted on December 5, 2015 by Dissent

Jigsaw Security Analytics posted an interesting report today.

Over the past few months we have been silently collecting data and comparing news articles to actual data that our OSINT-X platform has been monitoring.

[…]

We setup a  quick test plan and implemented the plan in OSINT-X to basically read news articles, pull out any references to leaks of information, personal credential disclosures, breach notifications, etc and we started comparing this data to information being posted to Pastebin, other paste sites, Darknet and underground forums. The goal in this was to find out just how many times corporations actually disclose that they have been breached. To keep things fair we had manual review to ensure that the “breached” information was legitimate (meaning we checked to verify whenever possible before including the results in our statistics). What we found was quite interesting.

In this article, they reported on three sectors. I’m going to jump to their results in the healthcare sector:

By far the healthcare industry was the worst of the worst during this timeframe. From inadvertain (sic) prescriptions being sent to the wrong fax number to multiple instances of hackers stealing data, we really don’t even know where to begin.

During our analysis we noted a total of 305 individual incidents during the 90 day study period of which only 52 were publicly disclosed by the healthcare organization. It appears as though many times the victims are reluctant to disclose the issues out of fear of litigation or brand reputation.

Well, wait a second. Are you assuming that the entity even knows about the breach? If data are posted on a paste site, what makes you think the entity even knows about the problem? Did you contact them to inquire?

And if you didn’t contact them and they’re a U.S. entity covered under HIPAA,  how do you know that the entity didn’t disclose the breach to HHS and send notification letters to individuals? Under HITECH, a covered entity has no obligation to issue a public statement/substitute notice unless certain conditions exist. So if you’re looking at small-n incidents and don’t see a public statement, it is not safe to assume that there has been no disclosure.

What was interesting is that of the ones the disclosed leaks only 4 of them have had any sort of legal issue as a result of the breach itself. 3 events were insider theft of health information for illicit use.

It seems the healthcare industry as a whole refrains from reporting whenever they can get away with it even though the actual cost of a breach seems to be leveling out and many organization are covered under cyber insurance policies.

Read more on Jigsaw Security Analytics. I want to find out more about their methodology and results.

No related posts.

Category: Commentaries and Analyses

Post navigation

← LA: Opelousas couple pleads guilty to identity theft
Ashley Madison hack steals man’s job, wife — and mind →

2 thoughts on “Companies fail to report breaches more often than realized”

  1. Adam says:
    December 5, 2015 at 2:27 pm

    I question their methodology. At my last employer we regularly saw claims of breached data, things like password lists, pasted to pastebin. When we examined them, as often as not, we found that the data had no correlation with the data inside the company. For example, many of the emails were not in our email service, and for those which were, no pasted password functioned to authenticate the customer.

    We need to know more about what they mean by “we verified the information” to judge their work.

    1. Dissent says:
      December 5, 2015 at 5:42 pm

      Agreed, which is why I said I wanted to know more about their methods.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.