Report reveals scale of health record data breaches

392 million protected health records disclosed globally

A new Verizon report reveals the scale of data breaches affecting protected health information (PHI) records.

More than 392 million (PHI) records have been disclosed during 1931 data breach incidents, states the report, which draws on data dating back to 1994 but mainly focused on incidents between 2004 and 2014.

Alongside the health sector, the inaugural PHI Data Breach report includes breaches from industries such as agriculture, manufacturing, retail, finance, education and public service.

The report includes data from 25 countries, including Australia, although the majority of the data is drawn from the US.

Verizon said despite the US slant to the data, its research found that “adversaries' tactics are influenced by the data they are interested in, as well as the assets that process and store the data — not the country in which the data resides”.

The majority of data breaches involved the theft of devices such as laptops and tablets or thumb drives, human error involving records being sent to the wrong person, and insiders abusing their access to health records for financial gain.

According to the report, these three categories made up 86 per cent of all the data breaches.

In some cases, discovering a breach took organisations months or even years.

"For those incidents taking years to discover, they were three times more likely to be caused by an insider abusing their LAN access privileges and twice as likely to be targeting a server, particularly a database," the report said.

Verizon Enterprise Solutions senior analyst Suzanne Widup said that many organisations are not doing enough to protect patient data.

“This can lead to significant consequences impacting an individual and their family and increasing healthcare costs for governments, organisations and individuals. Protected health information is highly coveted by today’s cybercriminals,” she said.

According to the report, people are also withholding information from their healthcare providers because they are concerned that there could be a data breach.

“Healthcare organisations need to realise that patients trust them with their data and if that trust is broken, the implications can be huge,” Widup said.

For example, an unwillingness to fully disclose information could delay a diagnosis of a communicable disease such as HIV, the report said.