Skip to main content

Healthcare Data Breaches Up 40% Since 2015

Analysis  |  By Alexandra Wilson Pecci  
   February 21, 2017

Reports of hacking and insider theft are at an all-time high in the healthcare industry.

When a U.S. attorney called South Florida "an epicenter of identity theft" last month, it was in the context of announcing federal charges against more than 100 suspected fraudsters.

One of them was a former Jackson Health System employee accused of accessing the health system's computer databases to steal patient data. The rogue employee, a former secretary, was accused of pilfering the social security numbers of more than 24,000 people over the course of five years. She was placed on administrative leave in 2016.

But the Miami-based safety net health system is certainly not alone in experiencing data breaches. According to a report from the Identity Theft Resource Center, the healthcare/medical industry experienced 377 reported data breach incidents in 2016, behind only the business sector in the number of incidents.

The healthcare industry represented 34.5% of the overall total number of breaches among the five industries tracked in the report.

The total number of breaches among the five industries included in the report is now at an all-time high. But ITRC experts said in a statement it's hard to tell whether there are more actually more breaches each year or simply more reporting of breaches. In total, there were 1,093 reported data breaches in 2016. In 2015 there were 780—a 40% increase.

More than a decade of ITRC data shows that there are significantly more healthcare data breaches in 2016 than there were in 2005, when the data showed only 16. That number has grown steadily in the years since.

Laws are "always behind," with the latest techniques used to steal data, says Karen A. Barney, director of research and publications at the Identity Theft Resource Center. "In general, privacy laws typically seem to not necessarily keep pace."

But some industries are better than others at deterring theft. The banking and financial sectors are than the medical industry, Barney notes.

The proof is in the numbers. In 2005, the banking/credit/financial industry had more data breaches than the medical/health industry. But by 2016, it had 52 breaches, compared to the health industry's 377, and accounted for just 4.8% of total breaches.

"There's a great need for corporate protocols and best practices to be in place," Barney says.

There have also been changes in how the breaches are occurring. Among the five industries in 2016, hacking/skimming/phishing accounted for 55.5% of total data breaches, compared to 14.1% in 2007.

Hacking, Physical Theft Dominate Healthcare Breaches
Broken down by industry, hacking was the most common data breach source for the healthcare sector, according to data provided to HealthLeaders Media by the Identity Theft Resource Center. Physical theft was the biggest breach category for healthcare in 2015 and 2014.

Insider theft and employee error/negligence tied for the second-most common data breach sources in 2016 in the health industry. In addition, insider theft was a bigger problem in the healthcare sector than in other industries, and has been for the past five years.

Insider theft is alleged to have been at play in the Jackson Health System incident. Former employee Evelina Sophia Reid was charged in a fourteen-count indictment with conspiracy to commit access device fraud, possessing fifteen or more unauthorized access devices, aggravated identity theft, and computer fraud, the Department of Justice said. Prosecutors say that her co-conspirators used the stolen information to file fraudulent tax returns in the patients' names.

What's the next data breach tactic for the healthcare industry to be aware of? According to Barney, it's "spear phishing," a scheme involving email that purports to be from company executives and requests personal information on employees.

The IRS noted a "400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community" in a March 2016 warning to payroll and human resource professionals, she says.

"They pretend to be someone in authority," Barney says, and trick employees into giving things like social security numbers and W2 forms. "It's providing the thief with anything and everything they need to commit tax fraud."

Alexandra Wilson Pecci is an editor for HealthLeaders.


Get the latest on healthcare leadership in your inbox.