Lost and Stolen Mobile Devices Are the Leading Cause of Healthcare Data Breaches
A lost or stolen laptop, tablet, or smartphone can complicate a healthcare data breach, as a recent story from Texas makes clear.
The thief who burglarized the headquarters of Sunglo Home Health Services in Harlingen, Texas, broke into one van, found the keys to another, loaded the second van with tools and equipment, and sped off. Later he returned to Sunglo’s offices, used a fire extinguisher to smash a window, and stole a laptop.
That laptop happened to contain the Social Security Numbers and Personal Health Information (PHI) of Sunglo patients. Sunglo’s IT department couldn’t say whether or not the data was encrypted. Police later apprehended the burglar—most of this story was captured on video—but they never recovered the laptop.
This burglary was hardly a major news story, but unfortunately it is the kind of story that is all too common. Lost and stolen mobile devices are a leading cause of healthcare data breaches—and hence, HIPAA compliance woes according to a recent survey by Bitglass.
The survey found that:
- 68 percent of healthcare data breaches were due to the loss or theft of mobile devices or files.
- 48 percent of data lost was on a laptop, desktop computer, or mobile device.
- Only 23 percent of the breaches resulted from hacking not connected directly to the loss or theft of a mobile device.
As these numbers show, healthcare organizations (HCOs) and their business partners need to do a much better job of protecting PHI on mobile devices, if they want to achieve HIPAA compliance and avoid a healthcare data breach, or HIPAA breach. They should ensure that PHI is always encrypted, whether in transit or in storage, and that IT administrators can remotely wipe data on lost or stolen devices. Information security policies and training should be extended to cover use of mobile devices.
Overview of Healthcare Data Breaches
Healthcare data breaches occur when unauthorized individuals gain access to sensitive information about patients, doctors, or other medical professionals. This information can include medical records, personally identifiable information or protected health information (PII/PHI), and financial information.
The consequences of these breaches can be serious, including identity theft, financial loss, and damage to a patient’s reputation. In addition, healthcare organizations and their business associates can face legal and financial repercussions if they fail to properly safeguard patient data.
There are several common causes of healthcare data breaches, including insider threats, hacking, and accidental exposure. Healthcare organizations can take steps to prevent these breaches by implementing robust cybersecurity measures, training staff on proper data handling procedures, and conducting regular assessments of their systems and processes.
4 Most Common Causes of Healthcare Data Breaches
These breaches have some disturbing commonalities. Here are the top four causes of healthcare breaches:
- Unsecured Networks: Unsecured networks are one of the most common causes of healthcare data breaches, as they can easily be breached if they lack the proper security measures. Without strong passwords, firewalls, and encryption, hackers can access such networks and steal confidential patient information.
- Insufficient Training: Professional negligence is another major cause of healthcare data breaches, as inadequate training can lead to mistakes and a lack of understanding of best practices. This can result in staff members needing to implement security protocols or use easily guessed passwords properly.
- Unencrypted Data: Healthcare organizations often store sensitive patient data in unencrypted formats, making it easy for hackers to gain access and steal private records. To protect such data, organizations should always ensure that data is encrypted before being transferred or stored.
- Malicious Software: Configuration Malicious software, such as malware and ransomware, can be used by hackers to gain access to a healthcare organization’s network.
Major Mobile Security Threats That Cause Healthcare Data Breaches
Mobile technology has enabled healthcare professionals to work remotely and access patient information on the go. However, this convenience comes with certain risks. Mobile devices are vulnerable to various security threats, including:
- Lost or stolen mobile devices: Losing a mobile device that contains sensitive patient information can lead to a data breach if the device is not password-protected or encrypted.
- Malware and phishing attacks: Malicious software and phishing attacks can trick healthcare professionals into downloading or sharing sensitive information, which can then be used for nefarious purposes.
- Unsecured Wi-Fi networks: Healthcare professionals often use public Wi-Fi networks to access patient information, which can put that data at risk if the network is not secure.
- Inadequate security measures: Many healthcare organizations do not have the proper security measures in place to protect patient data, such as strong passwords, encryption, and two-factor authentication.
- Personal use of mobile devices: Healthcare professionals may use their personal devices to access patient information, which can be risky if the device is not secure or if they share it with others.
- Outdated software: Using outdated software on mobile devices can make them vulnerable to security breaches, as these older versions may not have the latest security patches or updates to protect against new threats.
- Employee negligence: Employees who are not properly trained in mobile security best practices or who do not follow protocols can inadvertently cause data breaches by sharing sensitive information, losing devices, or falling for phishing scams.
- Third-party apps: Healthcare professionals may use third-party apps to access patient information, which can be risky if the app is not secure or if it accesses data without proper authorization or consent.
- Bring your own device (BYOD) policies: BYOD policies allow healthcare professionals to use their own devices for work purposes, which can lead to security risks if the devices are not properly secured, monitored, or managed by the organization.
- Physical security: Physical security threats, such as theft or unauthorized access to mobile devices, can also lead to healthcare data breaches if sensitive information is not properly protected or encrypted.
What Types of Healthcare Data Are Usually Stolen?
Hackers frequently break into devices in search of very specific information The most common types of healthcare data stolen from mobile devices include:
- Personal information such as name, address, and Social Security number
- Protected health information (PHI), including medical histories, diagnoses, lab results, and insurance information
- Credit card information and financial data
- Account credentials like login names and passwords
- Confidential patient data stored in electronic health records
- Confidential emails and text messages regarding patient care
- Electronic medical images, such as X-rays, CT scans, MRIs, etc.
Healthcare Data Breach Statistics
When hackers are able to exploit the same vulnerabilities and access the same types of healthcare data, the frequency of breaches increases, as does the subsequent financial damage. Here are five disturbing healthcare data breach statistics:
- 15.1 million healthcare records were exposed in 2018, the highest number ever reported.
- Over half (54%) of healthcare data breaches were caused by hacking or IT incidents.
- The average cost of a healthcare data breach is $6.45 million.
- Almost 80% of healthcare organizations don’t have an incident response plan.
Unfortunately, the outlook does not good for mobile device thefts, particularly in cases where thieves suspect the devices contain PHI. According to the World Privacy Forum (quoted by RSA):
“The street cost for stolen medical information is about $50, versus $1 for a stolen Social Security number. The average payout for a medical identity theft is $20,000, compared to $2,000 for a regular identity theft.”
Criminals follow the money, and stolen PHI is worth big money. To protect PHI and avoid healthcare data breaches, HCOs and their partners should act now. They should strengthen their IT security, including their IT security for smartphones, tablets, and laptops.
How Does the Number of Data Breaches in the Healthcare Sector Compare With Other Sectors?
According to the Identity Theft Resource Center, the healthcare sector experienced the second-highest number of data breaches in 2020, accounting for 11.8% of all reported breaches. The business sector experienced the most data breaches, accounting for 45.1% of reported breaches, followed by the education sector at 9.7%. However, when it comes to the number of records exposed, the healthcare sector still leads all other sectors. In 2020, the healthcare sector accounted for over 30% of all records exposed, followed by the financial and business sectors. This highlights the ongoing vulnerability and importance of improving cybersecurity measures in the healthcare sector.
The 13 Biggest Data Breaches in Healthcare Ranked by Impact
Given the monetary value of stolen PHI, it’s no surprise healthcare data breaches are 1. common and 2. costly. Here are 13 of the biggest data breaches in healthcare, ranked by financial impact:
- Anthem Inc.: This breach was the biggest ever, impacting a staggering 79 million individuals. Hackers accessed records stored in a database containing names, dates of birth, addresses, Social Security numbers, and other personal information.
- Premera Blue Cross: This breach affected 11 million individuals. The hackers managed to gain access to records containing names, birth dates, addresses, Social Security numbers, and emails, among other information.
- UCLA Health System: Over 4.5 million patient records were exposed in this data breach. The records contained names, dates of birth, Social Security numbers, and other health information.
- Excellus BlueCross BlueShield: This breach impacted nearly 10 million individuals. Hackers gained access to Social Security numbers, bank account numbers, and medical information.
- Advocate Medical Group: This breach exposed the personal information of 4 million individuals. The records contained names, dates of birth, Social Security numbers, and other data.
- East Coast Orthopedic Group: Approximately 4.5 million patients’ records were exposed in this data breach. The records contained names, addresses, Social Security numbers, and other health information.
- Newkirk Products: This breach exposed 3.5 million patient records. The records contained names, Social Security numbers, dates of birth, and other information.
- 21st Century Oncology: This breach impacted 2.2 million patients. The records contained names, Social Security numbers, dates of birth, and other health information.
- Community Health System: This breach exposed 4.5 million patient records. The records contained names, Social Security numbers, dates of birth, and other information.
- Triad Healthcare: Approximately 2.3 million patients’ records were exposed in this data breach. The records contained names, Social Security numbers, dates of birth, and other health information.
- Banner Health: This breach impacted 3.7 million individuals. The records contained names, Social Security numbers, dates of birth, and other data.
- CareFirst BlueCross BlueShield: This breach exposed the personal information of 1.1 million individuals. The records contained names, addresses, Social Security numbers, and other data.
How Can Healthcare Organizations Mitigate Data Breaches?
Data breaches in healthcare organizations can have serious consequences, including compromised patient confidentiality, financial loss, and loss of trust. To mitigate the risks of data breaches, healthcare organizations must implement strong security measures to better protect patient data and prevent potential data breaches. Here are a few data security best practices healthcare organizations should strongly consider:
- Implement strong security measures: Healthcare organizations must utilize strong security measures such as encryption, firewalls, and access controls to secure their data.
- Conduct regular risk assessments: Conducting regular risk assessments will help identify vulnerabilities and prevent data breaches.
- Train employees: Conduct regular training sessions for employees to teach them about the importance of data security, how to identify and report potential threats, and best practices for handling sensitive information.
- Develop strong policies and procedures: Develop and enforce strong policies and procedures for data security, including access controls, data retention, and incident response.
- Use multi-factor authentication: Implement multi-factor authentication to prevent unauthorized access to sensitive data.
- Monitor and detect threats: Healthcare organizations should have a robust monitoring and detection system in place to detect and respond to potential threats in real time.
- Partner with trusted vendors: Healthcare organizations should partner with vendors that have a proven track record of data security and privacy compliance.
- Plan for incident response: Develop a comprehensive incident response plan that outlines a step-by-step process for responding to data breaches, including notification procedures, containment and investigation, and remediation.
- Conduct regular audits: Conduct regular audits of systems and processes to identify vulnerabilities and ensure compliance with data security regulations.
- Stay up to date with regulations: Healthcare organizations must stay up to date with data security regulations and comply with all applicable laws and regulations, including HIPAA and GDPR.
Kiteworks Helps Healthcare Organizations Protect PHI With Secure Mobile File Sharing
The Kiteworks Private Content Network helps healthcare organizations and their business associates protect PHI and patient privacy whenever it’s accessed, sent, shared, or received from a mobile device, even in the event of a lost or stolen device. Secure mobile file sharing lets doctors, administrators, staff, suppliers, and vendors share PHI simply, securely, and in compliance with HIPAA. With capabilities like a secure mobile container that keeps PHI locked away from other content on the device and remote wipe that allows administrators to remotely delete PHI, medical staff avoid costly healthcare data breaches and avoid HIPAA violations. With Kiteworks, healthcare professionals have a secure mobile file sharing solution that provides safe, simple, and compliant access to patient records, so they can find the content they need quickly, review and edit it easily, and share it securely and in compliance to mitigate the risk of a data breach or HIPAA violation.
Additional Resources
- Article HITECH Act Compliance: A Step-by-Step Guide for Healthcare Providers
- Brief Sensitive Content Communications Privacy and Compliance in Healthcare
- Blog Post What Are HIPAA Compliance Requirements? [Complete Checklist]
- Blog Post Best Secure File Sharing Use Cases Across Industries
- Blog Post HIPAA Breach [What It Is & How to Handle the Aftermath]