Protected Health Information shows up in 90 percent of sectors, not just healthcare


Initial findings from Verizon’s inaugural Protected Health Information Data Breach Report suggests securing PHI Data is a much more expansive undertaking

verizonimgVerizon Enterprise Solutions has unveiled select initial findings from its inaugural 2015 Protected Health Information (PHI) Data Breach Report at the Connected Health Summit in Washington, D.C. The 2015 report will examine how PHI breaches are affecting the doctor-patient relationship, how PHI breaches are happening, how long it takes to discover a breach, and how to mitigate the risks. PHI is defined as personally identifiable health information on an individual, and is covered by one of the state, federal or international data breach disclosure laws.

The initial swipe of the data indicates that a whopping 90 percent of industries experienced a PHI data breach and that this type of data breach has widespread implications across many sectors besides healthcare. Of 20 sectors studied, only the utilities and management industries had no reported PHI breaches.

The Data Breach Investigations Report team examined incidents from 25 countries to produce this report including detailed analysis of confirmed breaches involving more than 392 million records and 1,931 incidents.

Verizon’s data breach research has consistently shown that hackers’ tactics are influenced by what data they are after and where that data is stored and processed. The country where the data resides and the size of the company are not significant factors.

One area of difference for PHI data breaches versus all kinds of data breaches is who is carrying out the attacks.  The number of external and internal bad actors is nearly equal with 5 percentage points difference, meaning there is a lot of insider misuse of PHI.

“Protected Health Information is gold for today’s cybercriminal,” said Suzanne Widup, lead author for the Verizon Enterprise Solutions report. “What makes our findings even more troubling is that many sectors – especially those outside of the healthcare industry – aren’t even aware that they hold this type of data. The ramifications for stolen medical information can literally be a life and death situation.”

According to the report’s findings, medical record data is often taken with malicious intent; however, it is frequently the personable identifiable information (PII) that attackers are really after.

“This data can be extremely damaging in the hands of those wanting to commit various types of financial fraud,” added Widup.

Slated to be released in its entirety in December, the report is aimed at helping organizations across all sectors understand the importance of identifying and protecting this information before a data breach occurs.

Verizon 2015 Protected Health Information Data Breach Report
As part of Verizon’s Data Breach Investigations Report (DBIR) series, the PHI Report is based on actual casework and is the first and only report of its kind in the industry. This report analyzes protected health information data breaches with a focus on the healthcare industry including ambulatory healthcare services, hospitals, nursing and residential care; and social assistance across North America, Europe and the Asia-Pacific region.

The report contains incidents contributed by the following organizations:  ACE Group, the CERT Insider Threat Center, CrowdStrike, Deloitte, the Dutch National High Tech Crime Unit, G-C Partners, LLP, Kaspersky Lab, Mishcon de Reya, NetDiligence, and the U.S. Secret Service. The study also includes the U.S. Health and Human Services incident database (for incidents affecting at least 500 individuals), and a significant number of records from the U.S. Veteran’s Administration as reported to Congress (from the VERIS Community Database project).

For early access to the report, sign up to be an Verizon Enterprise Solutions Insider:

Visit the Verizon Enterprise Solutions’ Products and Services Center to learn how to improve your business with the latest technologies and network solutions.