Over 113 million health records breached in 2015 - up 10-fold from 2014

One out of every three Americans was affected by a healthcare record breach last year

One out of every three Americans was affected by a healthcare record breach last year, or more than 113 million people, up more than 10-fold from 12.6 million in 2014, according to a report released this morning by Bitglass.

Types of breaches changed dramatically, as well. In 2014, 68 of breached medical records were due to lost or stolen devices, but that percentage dropped to 2 percent last year.

Instead, in 2015, 98 percent of lost records were due to large-scale breaches.

"Lost and stolen devices have traditionally been the biggest source or compromised medical records," said Rich Campagna, vice president of products at Bitglass. "And that's completely switched."

One reason is that financial institutions have worked hard to reduce the value of stolen credit card numbers, he said, by quickly canceling and re-issuing stolen cards. Healthcare information, however, which includes insurance data, addresses, Social Security numbers and birth dates, continues to hold its value over time.

Meanwhile, healthcare organizations have locked down their devices.

There were a total of 140 breaches in 2014 due to loss or theft, and that dropped to just 97 last year.

"Last year, a much higher percentage of devices have shipped with encryption enabled," Campagna said.

Cyber attackers tended to use standard methods to compromise healthcare organizations last year, he added, using phishing to get employee credentials than leveraging those credentials to get at the data itself.

"It's striking how run-of-the-mill these attacks have been," he said.

He recommended that companies train employees to spot phishing attacks, keep an eye out for similar-looking domains used to host spoofed corporate login or HR screens, and introduce two-factor authentication for suspicious logins.

"An employee logging in from a computer inside the network, it might be a low-risk situation," he said. "But if an employee is logging in from North Korea on an Android device -- when they previously only used iPhones -- that could be flagged."

In fact, many healthcare organizations are missing the opportunity to take advantage of two-factor authentication systems that are already in place.

For example, 37 percent of healthcare organization were using Google Apps or Office 365 in 2015, up from 8 percent in 2014.

But only 5.2 percent were using the single sign-on feature of these platforms, a basic security precaution.

"A lot of healthcare organizations are moving away from on-premises applications to the cloud," Campagna said.

"That makes the other types of authentication techniques, like multi-factor, much more important. It can be secure, but only if the cloud applications are used in a secure fashion."

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts