Top 3 Causes of Health Data Breaches

HIPAA computers network securityHow do healthcare data breaches happen? The latest report from Verizon gives us some insight.

The 2015 Protected Health Information Data Breach Report comes after a wave of data breaches in the healthcare industry. It reviews more than 1,900 data security incidents that met one of the following criteria:

  • Occurred in the healthcare industry
  • Affected medical records
  • Listed the victim as “patient”

Most of the incidents in the report occurred between 2004 and 2014. This overlooks the first half of 2015, a period in which major data breaches were discovered at health insurers Anthem and Premera. Nonetheless, the data is rich and useful.

What are the biggest causes of healthcare data breaches? Read on to find out.

3 problems cause 8 out of 10 health data breaches

The report focuses on security incidents that affect PHI, or protected health information. This is the health data that organizations are required to protect under HIPAA. It includes any “personally identifiable health information” such as a person’s name, address, email address, phone number, diagnosis, or medications taken.

Related: HIPAA Regulations for IT Compliance – Guidelines straight from the federal register

Three types of security incidents, or “incident patterns,” accounted for 86% of the health data breaches reviewed in the report, as you can see in the chart below.


Health data breach cause #1. Lost or stolen assets

This category accounts for a huge chunk – 45% -- of all the incidents reviewed.

Laptops, tablets, and flash drives are stolen frequently at healthcare organizations. Unfortunately the data on these devices is often unencrypted. This makes it trivially easy for a thief to access any PHI on the device.

When an unencrypted device containing PHI is stolen, this usually forces an organization to disclose the incident to authorities under HIPAA. However, if the stolen device is encrypted, the organization can safely assume that a thief cannot access the data and therefore disclosure is not necessary.

Related: HIPAA Regulations for IT Compliance – Guidelines straight from the federal register

Here’s more from the report:

“Encryption (particularly of portable devices) offers a figurative ‘get out of jail free’ card since the data remains secure despite the loss of control over the asset. In the vast majority of cases, this means the incident does not trigger a duty to report under most breach laws.”

The authors recommend (wisely) that organizations encrypt the data on any hardware that stores PHI. Even if only a subset of the hardware is encrypted – such as portable devices that are not used for patient care – then significant progress will be made toward protecting patient health data.

Encryption will not stop a theft, and it will not prevent a loss in availability, but it does put the valuable PHI out of harms reach.

Health data breach cause #2. Privilege misuse

Privilege misuse could also be called an “abuse of privilege.” It occurs when someone is given legitimate access to health data and uses it for an illegitimate purpose, like snooping. These incidents account for 20.3% of all PHI incidents reviewed.

Occasional news reports of this have surfaced. In a typical example, one hospital identified a pharmacy worker who inappropriately accessed data on 844 patients over the course of a year. The data included patient demographics, clinical diagnosis, prescription data, and clinical notes.

This type of abuse most often occurs at the LAN-level (as you can see in the chart below), such as when an employee accesses a database on the network for illegitimate reasons.


Abuse of privilege via physical access and LAN access account for more than 93% of PHI data breaches in this category.

Related: HIPAA Regulations for IT Compliance – Guidelines straight from the federal register

Health data breach cause #3. Miscellaneous errors

The number of PHI data breaches attributed to error are nearly equal to the number attributed to privilege misuse. They account for 20.1% of the total.

Health data is disclosed by mistake quite often. The most common errors are listed in the chart below. Loss, such as losing a physical folder of documents or a flash drive, is the most common.


Note: Although “loss” is listed here under “Error,” we have to assume it is also in the “Lost and stolen assets” category. The distinction between “loss” in each category is not clear.

Mis-delivery happens to almost everyone who sends email. A few missed keystrokes and suddenly the message and its attachments are headed to the wrong party. This also happens with physical mail, particularly in mass mailings, when the wrong information is included.

A disposal error may be the work of a third-party that is hired to destroy paper and electronics. When hiring a disposal service provider, the report recommends including penalties in the partnership agreement that are equal to the severity of a data breach the provider may cause.

Find more in the breach report

The top three security incidents surrounding PHI are among the many insights you can get from Verizon’s report. Have a look to see other interesting data, such as the breakdown between internal and external actors, and the industries outside of healthcare where PHI is also breached.

Related resources

HIPAA Regulations for IT Compliance: The guidelines straight from the federal register

HIPAA Breach Notifications: Anti-marketing in healthcare

Healthcare IT Security: Compliance nightmare on horizon

Healthcare IT: 4 tips to get more small business clients in healthcare

Written by Calyptix

 - December 22, 2015

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram