Data breaches cost health organizations $12 billion last year

'Hacking and IT Incidents’ accounted for more than 60 percent of all data leakage.

Unauthorized access or disclosure—which includes sharing of personal health information (PHI), was the cause of 35.9 percent of breaches, affecting 23.9 percent of individuals.(Image: Shutterstock)

Data breaches cost health care organizations nearly $12 billion dollars in 2019, a new report has found. The Health Care Breach Report was released by Bitglass, a cloud security company based in Silicon Valley. The company said its sixth-annual report on data breaches in health care found more than 27 million people were affected.

Using information from the U.S. Department of Health and Human Services, Bitglass found the total number of records exposed to hackers doubled between 2018 and 2019. The report broke down data breaches into different categories and explored the implications for health care organizations, based on those different types of incidents.

Related: 11.9 million patient records exposed in Quest data breach

“Last year, ‘Hacking and IT Incidents’ was the top cause of breaches in health care, accounting for more than 60 percent of all data leakage,” said Anurag Kahol, CTO of Bitglass. “This is not particularly surprising given the fact that threat actors are maturing their capabilities and adapting to security measures organizations put in place, like multi-factor authentication. Health care databases are heavily targeted by cybercriminals as they hold a wealth of sensitive information like medical histories, Social Security numbers, personal financial data, and more. This means that health care firms must employ the appropriate technologies and cybersecurity best practices to ensure all data within their IT systems is secure around the clocks.”

Types of breaches

Hacking/IT incidents—the breaches related to malicious hackers and improper IT security were most common last year (45.9 percent of breaches) and affected the most people (67 percent of all individuals affected). The report noted a rise in “mega breaches”—incidents that affected tens of thousands of people—in 2019.

Unauthorized access or disclosure—which includes all unauthorized access and sharing of personal health information (PHI), was the cause of 35.9 percent of breaches, affecting 23.9 percent of individuals.

Loss or theft of endpoint devices such as laptops or tablets accounted for 15.5 percent of cases, affecting 6.1 percent of individuals. Efforts to maintain better security on devices seem to be paying off, as the report found that the number of breaches from lost or stolen devices dropped from 148 in 2014 (the top-ranked cause of breaches that year) to 42 breaches in 2019—the third highest type of breach, out of the 4 main types.

The lowest percentage of breaches came from “other” causes—primarily related to things like improper disposal of data. This area accounted for 2.9 percent of both the number of breaches and individuals affected.

High costs—and slow responses

The Bitglass report notes a jump in the total costs associated with data breaches jumped in 2019, from $4.7 billion in 2018 (an average of $408 per breached record) to $11.8 billion in 2019 ($429 per record).

“This is the highest per-record cost of any industry—finance ($210) comes in second and government ($78) lands last,” the report said. “Additionally, $429 represents a 3.5 percent increase over 2018 and a 11.4 percent increase since 2017.”

These costs are compounded by the slow response time to data breaches. Health care firms took a mean time of 236 days to identify breaches and a mean time of 93 days to contain them—both numbers represent the highest numbers for any industry in dealing with data breaches.

The report includes other information, including the fact that Texas was by far the state with the highest number of health information data breaches in 2019, at 37 breaches, 50 percent more that of California (25), the state with the second-most number of breaches.

The Bitglass blog notes that the report outlines the serious threat to PHI posed by those seeking to exploit health data. “Undoubtedly, this sensitive information attracts a lot of attention from malicious entities that aim to exploit this data for political or monetary gain,” the blog said. “All factors considered; billions of dollars are wasted annually because of improper cybersecurity in health care.”

Read more: