Most Healthcare Data Breaches Now Caused by Email

Email has been the top source of data breaches in the healthcare industry three of the last four quarters, according to HHS Breach Portal. Unfortunately, this trend does not appear to be changing with email holding a considerable lead through the first two months of the third quarter.

A logical question to ask is why? While it would be impossible to definitively say, my hypothesis is that a couple of factors are represented.

1. Healthcare breaches are caused by external actors and internal employees. According to the Verizon 2018 Data Breach Report, healthcare was the only industry where most breaches were caused by employees. Don’t celebrate too quickly, as external actors still accounted for 44%. While a small subset of the internal breaches are malicious, most can be attributed to careless or compromised employees. During a recent conversation, a senior leader at a healthcare provider put it this way: “healthcare is unique in that almost every employee has access to highly regulated data.”
2. Healthcare presents a big target for breaches. Research and reviewing recent media headlines shows that healthcare continues to be a favorite target for cybercriminals. Attacks such as phishing, spear-phishing and ransomware are succeeding far too frequently in an industry that holds such sensitive information.

Healthcare Data Breach Statistics

Let’s look at the data breach statistics in a little more depth. The chart below shows that the number of breaches has risen steadily from a low of 22 in Q1 of 2017 to a high of 99 in Q2 of 2018. More troubling the total number of individuals impacted has also risen. With over 2.5 million patient records exposed from April 1 to June 30, 2018 and over 2.9 million records through the first two months of the third quarter. The industry is not trending in the right direction.

It’s also possible to isolate the source for the data breaches. In the second chart, the sources of the data breaches are shown by quarter. Email is marked with an arrow and it’s clear at least in four of the last five quarters, email has overtaken network servers and other categories for the total number of breaches.

This data provides hard numbers to the sentiment expressed in a Mimecast and HIMSS Analytics survey released in early 2018. The survey found CIOs and IT directors felt email was the most likely source for a breach, receiving more first place votes than all other categories combined.

Given the importance that email plays in communication and the potential threat it poses, it’s important to stay current on the threats to the healthcare industry. This isn’t just a technology problem. Employees at healthcare providers are frequent targets because humans a weak link in any security program.

Consider the following data breach headlines:

• Phishing attack breaches 38,000 patient records at West Coast provider
• Iowa Health Group data breach hits 1.4 million patients
• Ryuk ransomware quickly racking up damage
• 142 healthcare data breaches in Q2, 30% caused by repeat offenders
• 417,000 Augusta University Health patient records breached nearly one year ago

With the numbers showing that data breaches continue to rise, email being the most likely source for a breach and that employees are responsible for more than 50% of the breaches in healthcare, it’s clear the industry can do more to protect patient health information.

To be clear this isn’t just a technology or human problem. Only by combining both can the industry better protect sensitive records and provide patients the same peace of mind as when they walk through the front doors for care.