Over on HealthLeaders Media, Dom Nicastro has an article with the optimistic headline, “Healthcare Data Breaches Lag Other Industries.”
Unfortunately, the article is based on the recent Verizon-USSS report. As I’ve previously commented, the results of that study are at odds with other studies that are based more on media reports and other resources. As long as there is a significant self-selection or self-referral factor in Verizon’s database, I do not think we can conclude that health care sector breaches make up just 3% of all breaches. To the contrary, I think that until recently, we have been less likely to find out about health care sector breaches because federal regulations for financial institutions were more stringent on notification of breaches than HIPAA and state laws that require notification by businesses often exempt HIPAA-covered entities.
Additionally, I think that we are less likely to find out about breaches in the health care than some other sectors because:
1. Health care entities are more concerned about confidentiality and may be less likely to publicly admit to any breach due to reputational harm issues (although new requirements under ARRA mandate such disclosure which helps explain the recent upsurge in number of breach reports from this sector), and
2. Health care entities may not invest as much in IT security and as one result, may not detect breaches as promptly as entities in other sectors who may be required to have regular security audits by certified auditors or who may be more likely to have consumers contact them if they’ve experienced any fraud. I hypothesize that when people experience fraud on their credit or debit cards, they will wrack their brains thinking of what stores they may have used their card at and totally forget that they used the card for health care services. Similarly, I doubt most people who become victims of new account fraud would think about whether an employee of a hospital or health insurer might have stolen or sold their details to others to use for fraudulent purposes.
It would be nice if Verizon was right in suggesting that health care sector breaches are less than 5% of all breaches. I just don’t think that statement is warranted.