An investigation conducted by Stacker has revealed the most common causes of health data breaches between March and May of 2023.
What happened
According to a report, Stacker compiled recent breach data from the HIPAA Journal, which creates breach reports similar to Paubox’s long-running monthly digest. Stacker noted that in 2022 alone, there were 707 healthcare breaches; meanwhile, in 2023, there were 273 breaches between January and May.
While there have been fewer breaches overall, breaches in 2023 generally compromise significantly more records than in previous years. On average, 150,000 records were compromised per breach in 2023, while 2022 saw an average of 75,000 records compromised per breach, meaning that each breach has had a greater impact on organizations and individuals.
Ultimately, Stacker found that the biggest causes for breaches were improper disposal, theft, unauthorized access/disclosure, and hacking or IT-related incidents.
Going deeper
Stacker reported that 75.8% of the breaches they sampled occurred from hacking or IT-related incidents. These incidents include ransomware attacks, which can be more costly and time-consuming to recover from. Stacker notes that these cases have risen substantially since the beginning of the COVID-19 pandemic, although the reason remains unclear.
The second largest cause was unauthorized access or disclosure, linked to 20% of data breaches. Unauthorized access is a broad term, as anyone viewing protected health information must have permission. Unauthorized access can include simple mistakes, such as handing the wrong documents to a doctor, or can be considered malicious if the information was deliberately shared.
Accounting for only 2.6% of the sample were breaches caused by theft. For this to occur, an individual has to come into physical contact with an information-storing device. And lastly, making up 1.6% of breaches was improper disposal, wherein a hard drive or other storage device was improperly cleaned or destroyed.
Related: HIPAA Compliant Email: The Definitive Guide
Why it matters
The report shows that the vast majority of incidents are occurring because of security flaws or cyberattacks. Rather than focusing on the physical safety of documents, healthcare organizations should turn their attention to ensuring that systems are up to date against the ever-evolving cyberattack strategies.
Furthermore, many breaches could also be prevented with stronger disclosure policies designed to ensure that data is not mistakenly given to unauthorized individuals. In April, Paubox similarly reported a finding that showed a gap in implementation policies that could be leading to unnecessary breaches.
Read more: New survey reveals gap in cybersecurity implementation
The bottom line
The data sampled only covered 190 breaches but can help organizations understand trends that are likely to continue. Breaches can be costly and difficult to resolve when they affect infrastructure, meaning that prevention and education is the best way to ensure that a cybersecurity incident doesn’t negatively impact an organization.
A good place to start is to monitor breaches so that you can stay up-to-date on trends in real time.
Read more: HIPAA Breach Report for June 2023
Abby Grifno
