February 15, 2016


Insiders caused nearly half—42 percent—of data loss related to protect health information.

Each time a Community Health Systems or an Anthem or a Premera Blue Cross gets hacked, sensitive patient records flood into the cyber underground.

 But cyber thieves are by no means the only parties responsible for exposing sensitive information protected by the Health Insurance Portability and Accountability Act.

Company insiders also are playing a major role in PHI—protected health information—getting into the wrong hands.

Upcoming webinar: Navigating Identity Theft: How to Educate and Protect Your Employees and Clients

What’s more, it is not just medical facilities and health care insurers losing PHI. Government agencies, financial services companies, law and accounting firms, and even retailers are losing health care data at an alarming rate.

Those are the big takeaways from Verizon’s 2015 Protected Health Information Data Breach Report, a special look at more than 1,500 actual incidents, predominantly in the United States, in which at least 392 million PHI records have turned up lost or stolen. Most of the incidents occurred between 2004 and 2014.

The report was assembled by the same team of investigators and analysts responsible for Verizon’s highly regarded Data Breach Investigations Report, an annual assessment of patterns found in hundreds of actual data breach investigations.

Verizon’s analysts found:

  •  42 percent of PHI data loss incidents were attributable to internal parties, while 50 percent could be blamed on external actors.
  • In 45 percent of incidents, PHI was exposed due to lost or stolen computing devices.
  • Health care organizations reported 1,403 breaches involving medical recordspublic agencies, 177; financial companies, 113; retailers, 32and professional firms, 35.

Lost devices big threat

The big takeaway for Marc Spitler, senior analyst for Verizon Enterprise Solutions and one of the report authors, was the high rate of lost computing devices carrying unencrypted PHI.

Mark Spitler, Verizon Enterprise Solutions senior analyst
Mark Spitler, Verizon Enterprise Solutions senior analyst

“We’re a little surprised and disappointed that we’re still seeing such a significant amount of lost and stolen devices being reported as potential vectors of PHI theft,” Spitler says.

After all, full-disk encryption (FDE) is “a very basic security mechanism” that renders sensitive data on laptops unusable, Spitler points out. Full-disk encryption amounts to a “get-out-of-jail-free card,” since lost or stolen devices containing protected data are not required to be reported to authorities, he says.

Robin Daniels, chief revenue officer for Vera, a data security company, feels much the same. “It’s nearly criminal to me that the number (of unencrypted devices) is this high in 2015,” Daniels says.

Daniels says that encryption is still widely viewed as cumbersome and expensive, which it used to be—20 to 30 years ago.

Robin Daniels, Vera chief revenue officer
Robin Daniels, Vera chief revenue officer

“Of course, that’s not the case anymore,” says Daniels, adding that data protection and encryption have become top priorities for many industries.

Complexities hamper security

Still, the health care industry lags behind other sectors in implementing security tools such as encryption. Even the FBI issued a warning that this sector is much less resilient than others, such as the financial and retail sectors.

Part of the challenge is that integrating technology and health care delivery is much more complex, says Michael Ebert, a health care and life sciences consultant at KPMG.

A typical medical environment can have tens of thousands of endpoints, including employee mobile devices, treatment equipment and scanning machines, Ebert says. “A lot of that technology is not encrypted because it requires FDA approval, and that process takes a long time,” he adds.

Furthermore, disparate subsystems—the operating room, emergency department and intensive care unit, for instance—have to be seamlessly integrated, says Michelle Knighton, a lab manager at ICSA Labs, which certifies security and health IT products.

“All those systems have to work together to provide that central patient record to the physician,” she says. “That adds complexity and introduces more weaknesses.”

False peace of mind

Knighton sees a movement toward encryption, but it’s limited mostly to technology such as electronic health record systems, which have mandatory minimum security features.

Michelle Knighton, ICSA Labs lab manager
Michelle Knighton, ICSA Labs lab manager

“Compliance doesn’t equal security,” she says. “There’s a misconception that using a certified EHR system that’s been tested for certain security criteria provides a guarantee that a system can’t be breached and data won’t be lost. That’s completely untrue.”

Many health care organizations are realizing that compliance is not enough. Ebert says in the past, entities were mostly interested in the criteria imposed by HIPAA. But in the past six months, he’s seen a growing interest in applying a much broader framework to security.

“Organizations are getting more cybersecurity guidance, and they’re starting to look at it in a more complex way,” he says.

And the health care industry is not the only one on the hook for securing PHI. Verizon found that almost one-third of medical record breaches occurred in other sectors.

“Even if you’re in industry X, realize that if you have employees, you may have PHI and you need to know where that information resides and what protections you have in place,” Spitler says.

He notes that even when medical information is breached, the bad actors often are after other data, such as Social Security numbers and financial information.

“The attackers are looking more for weaknesses in certain systems than going after specific corporations; the attacks are more opportunistic than targeted,” he says.

Regardless of the industry, Daniels believes there’ll be mounting pressure for companies to protect their data.

“I think what will be a watershed moment in 2016 is that the public is going to demand it,” he says. “Any organization will be expected to protect you from breaches.”

This article originally appeared on