An analysis of Data Breaches in the Healthcare Industry

Intro

In just the first four months of 2019, 103 breaches were reported to the Office for Civil Rights. In total these breaches affected 3,602,858 individuals. Even with patient privacy being a concern for many health providers the industry is falling short in protecting sensitive data. Across the US, companies are reporting incidents of theft, unauthorized access, and hacking.

Breaches over time

The Office for Civil Rights publishes a dataset of reported breaches going back as far as 2009. If we graph the number of breaches reported each month over the past 9 years the trend is clear. We can also see a few months with a high number of “Individuals Affected” around 2015 (represented by the size of the dot). The most notable being the Anthem breach reported in February 2015 which affected 78,800,000 people.

Types of Breaches

The most common types of breaches are hacking, theft, and unauthorized access. Breach repors can contain multiple breach types, so some parsing had to be done in order to create a meaningful chart on this field. The graph below shows the number of reported breaches per month distinguished by their breach type using color. The size of the dot, similar to our previous chart, shows the relative sum of the records (i.e. individuals affected) for the breaches in the month.

A few things stand out in this chart. Most notably that the reporting of theft has been declining sharply and the reports of unauthorized access and hacking have been increasing. My hypothesis on why the reports of theft have dropped is that the prevalence of encrypted storage has increased. This is a purely anecdotal observation from my experience in IT Risk over the past 10 years, but it makes sense. If a laptop is stolen but its hard drive is encrypted, OCR does not consider the data on that hard drive accessible to an unauthorized user and therefore would not constitute a reportable breach.

My other observation is that the biggest breaches (i.e. ones that affect the most individuals) are related to hacking. When you combine that with the increase in hacking incidents it paints a dire picture for individual privacy.

Breach Map

The map below shows the total number of breaches by state. At first glance, it appears as though covered entities in California, Texas, and Florida have much higher occurrences of data breaches than covered entities in other states. However, this map looks a lot like a map of state populations from the 2015 census (see second map below).

There appears to be a correlation between the number of breaches in each state and the population. It might be worth exploring this further. I’d want to test the hypothesis that a higher population means more covered entities (i.e. hospitals) which are available to be breached in a given state. The next tab shows a more normal distribution of breaches across the US.

I normalized the breaches by dividing the number of breaches by the total state population. I expect this represents a more accurate picture, but statistical analysis would need to be done to determine whether a particular state is more likely to have a breach than others.

Covered Entities

I also wanted to see which covered entities incurred the most breaches. I found quality issues with the covered entity name column. I used a clustering algorithm to automatically group like names, then created a “mapping table” (see other tab) of rules based on those clusters. After running the mapping table logic, I was able to count all the breaches by entity and get a more accurate picture of the covered entities with the most reported breaches.

Mapping Table

from to
.Rite Aid. Rite Aid
.Blue Cross. Blue Cross
.Texas Health Human. Texas Health Human Services
.Kaiser Foundation. Kaiser Foundation
.University of Wisconsin. University of Wisconsin
.University of Illinois. University of Illinois
.United Health. United Health
.Triples Salud. Triples Salud
.Molina. Molina Healthcare
.University of Kentucky. University of Kentucky
.University of Texas. University of Texas
.South Carolina Department. South Carolina Department of Health
.North Carolina Department. North Carolina Department of Health and Human Services
.Vincent Hospital. St Vincent Hospital
.Indiana University. Indiana University
.Florida Department. Florida Department of Health
.Humana. Humana Inc
.Kern Medical. Kern Medical Center
.Colorado Department. Colorado Department of Health Care Policy

Conclusion

Cyber criminals are attacking organizations of all sizes and industry verticals as IT and Security departments struggle to keep up with the latest threats. The Healthcare industry has seen an increase in the number of breaches over the past few years, especially those related to hacking. Understanding the threat landscape is an important part of increasing the privacy protections over patient data and identifying solutions that reduce breaches.

Questions? Contact Michael Molloy at mmolloy@cviewllc.com.

More in IT Risk Advisory & Security

Related Case Study