Hospitals Aren't the Only Ones Bleeding Stolen Health Records

When hackers possibly stole the personal-health data of 10 million people from Excellus, a health-insurance company, it was just the most recent incident in a string of recent cyberattacks that targeted health-care companies.* This year, cyberattacks on Premera and UCLA Health Systems released millions more customers’ health records into the wild.

But when it comes to losing health data, health-care companies are only a part of the picture. In fact, according to research published Wednesday by Verizon’s business division, 90 percent of industries—from retail and finance to construction and mining—have experienced a breach of personal-health information.

While the organizations in these other sectors may not keep extensive databases of patient information the way a health-care facility or insurer might, businesses in every industry have data from employee benefits and wellness programs, and many deal with workers’ compensation claims. Included in all three are troves of personal-health data.

But often, companies outside the health-care sector don’t take steps to secure health data the same way they do other information. “They’re focused on protecting their customer data, or they’re focused on their intellectual property,” said Suzanne Widup, the report’s lead author. “And that’s why I think that when some of these breaches have happened, it’s been a bit of a shock to organizations.”

The Verizon researchers analyzed data spanning 25 countries and 20 years. The 1,900 breaches in the dataset accounted for nearly 400 million stolen health records—but the actual number of stolen records is likely much higher, because some organizations did not report the extent of their breaches.

Although the phrase “data breach” calls to mind large-scale hacking operations like the one that targeted the U.S. Office of Personnel Management earlier this year, the majority of the breaches in the report were actually the result of a lost or stolen item—for example, an employee’s laptop might get swiped, or even just left in the backseat of a taxi during a business trip. Whoever found or stole these computers got much more than just a piece of hardware to resell: Many contained unencrypted databases full of sensitive health information.

If the contents of these laptops were encrypted—a relatively simple change that would protect them from unauthorized access—a large portion of reported breaches could be avoided. Some companies say they’ve left their data unencrypted out of fear that encryption could slow access to files that need to be pulled up quickly. But it’s more likely, Widup says, that building in strong encryption is just not a priority for many organizations.

The upside of breaches that result from laptop theft is that they’re reported quickly, allowing cleanup crews to get a jumpstart on minimizing the damage. According to the Verizon dataset, of all the incidents discovered in 2014, nearly one-third were reported within days. But half had taken place months or even years earlier, leaving a massive window for multiple thefts from a database.

The researchers found that the majority of the breaches that go undiscovered for a long time are perpetrated by an insider: It’s much harder to detect someone snooping around if they’re just abusing their own network-access privileges. There are certain tools that monitor network activity and raise flags when something unusual happens—if an unauthorized person, for example, downloading gigabytes of sensitive health data all at once—but even when these tools are installed, they often go unmonitored, Widup says.

No matter how they leak, stolen health records don’t just affect the individuals whose data is compromised. These breaches can also ripple outwards to harm the entire health-care system—studies show that people who don’t feel confident that their information will be kept private are likely to share less with their doctors, which can hinder life-saving diagnoses and treatments.

But these patients’ lack of confidence is not unfounded. It’s hard to know the full extent of the health data that is breached every year—companies are generally reluctant to announce embarrassing breaches, and uneven reporting requirements mean they’re often not compelled to do so. Studies like the Verizon report highlight just a small fraction of a widespread problem; meanwhile, many organizations are unlikely to care about the health information they possess with until it’s already gone.

* This article has been updated to clarify that the theft of personal data from Excellus is possible, but still unconfirmed.