Criminal attacks cause most breach incidents, report says

For the second year in a row, more health care organizations reported that criminal attacks are the leading cause of data breaches than any other threat, with 50 percent of covered entities (CEs) attributing data breaches that occurred in their organizations within the last two years to criminal attacks, compared to 41 percent claiming that they were caused by a “third-party snafu.” According to a Ponemon Institute report sponsored by ID Experts, 89 percent of CEs had a data breach in the past two years, and 45 percent experienced more than five breaches in the same time period. Despite the type of attacks, however, employee negligence was a larger concern among health care organizations and their business associates (BAs) than cyberattackers, themselves. The results indicated that organizations may need to reallocate their resources but confirmed that security incidents are now part of the normal course of business.

Breach causes

In addition to reporting that breaches resulted from criminal actions and third-party snafus, CEs reported that only 36 percent of breaches resulted from unintentional employee actions and 8 percent resulted from intentional, but non-malicious, employee actions. Stolen computing devices (39 percent), technical systems glitches (29 percent), and malicious insiders (13 percent) also played a role.

Despite these figures, 69 percent of CEs reported that employee negligence was among their three top concerns related to the security of sensitive and confidential information, compared to only 45 percent who worried about cyberattackers. In an interview with Wolters Kluwer, however, Mac McMillan, FHIMSS, CISM, CEO of CynergisTek, Inc., stated, “I believe the stats are clear hacking accounted for well over 90 percent of the records lost last year with all other categories combined contributed to less than 10 percent of that number . . . It’s the impact of the incident that matters and clearly hacking is having a larger negative impact.”

Rick Kam, President and Co-founder of ID Experts, told Wolters Kluwer, “In health care, there are many ‘data touches’ including multiple employees who can be careless and third parties handling patient data,” including third-party snafus, stolen computing devices, and unintentional employee actions. Unlike CEs, BAs cited unintentional employee actions as the biggest driver of breaches, at 55 percent, with third-party snafus accounting for 52 percent and criminal attacks accounting for 41 percent. Interestingly, only 53 percent of BAs reported employee negligence as a top concern.

Types of attacks

In the realm of cyberattacks, CEs and BAs were both most concerned about denial of service (DoS) attacks, in which attackers make a machine or network resource unavailable to its intended users, for example, by temporarily suspending services of a host connected to the internet. This concern was followed by the threat of ransomware, in which attackers infect systems with malware, which is hostile or intrusive software, and effectively hold system access hostage until the victim agrees to pay a ransom; and malware, in general. Although McMillan acknowledged these threats, he expressed concern that “many health care executives do not fully appreciate the cyber threat they face today.”

Among CEs, medical files far and away contained the data most commonly lost, accessed without authorization, or stolen, with 64 percent of CEs mentioning them, compared to 45 percent reporting billing and insurance records. Among BAs, however, 56 percent reported that billing and insurance records were the data affected, followed by 45 percent reporting payment details.

Patient impact

Covered entities recognized the impact that data breaches can have on patients. Seventy-nine percent stated there is a risk that personal health facts will be disclosed, 66 percent believed patients are subject to an increased risk of medical identity theft, and 61 percent believed they are subject to an increased risk of financial identity theft. Thirty-eight percent of CEs were aware of medical identity theft affecting customers within the past two years, although 48 percent of those instances were attributed to unintentional employee action, compared to 9 percent attributed to criminal attacks. Perhaps those attribution percentages are the reason that only 56 percent of CEs believed that they should provide data breach victims with credit monitoring or medical identity theft protection. McMillan noted a “glaring disconnect” between the figures, but suggested that it may result because “very few ever use the credit protection provided so it becomes a huge expense for nothing.” Kam opined, “organizations are becoming more knowledgeable about what consumer remedies to offer based on the risk presented by the types of information lost or stolen in a data breach.”


Health care CEs and BAs believe they are more vulnerable to data breaches than other industries. Fifty-six percent of CEs that have instituted an incident response plan say that more funding and resources are necessary to make the plans effective. However, 52 percent of CEs reported that their security budgets remained the same over the past two years. Only 30 percent reported budget increases, while 10 percent reported decreases. The reported suggested that breaches could be costing the health care industry $6.2 billion.


The report is Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. It is the second report to include BAs among its surveyed entities, reflecting responses from 91 CEs and 84 BAs. (For the 2015 report, see This time it’s crime: the lawlessness of health care data breaches, Health Law Daily, May 8, 2015). Fifty percent of responding CEs were private health care providers; thirty-two percent of BAs were part of the pharmaceutical industry, compared to only 24 percent in the information technology (IT) services/cloud services industries.