News Feature | May 27, 2015

Ponemon Study: Most Healthcare Organizations Have Experienced A Data Breach

By Megan Williams, contributing writer

Ponemon Study: Most Healthcare Organizations Have Experienced A Data Breach

Ponemon has released its Fifth Annual Benchmark Study On Privacy & Security Of Healthcare Data, and it reveals what most of the industry already knows … healthcare organizations are under heavy attack from cybercriminals.

The Study

This study was extended beyond healthcare organizations and included businesses associates (BAs). Overall, the study included 90 covered entities and 88 BAs. The decision to expand the study resulted from a desire to take a broader look at the healthcare industry and reflect the impact that third-party vendors have on patient data security.


For the first time in the study history, criminal attacks came in as the number one cause of data breaches in healthcare (as opposed to loss/theft). That change in dominance is due to a 125 percent increase over the last five years in criminal activity. The number reflects 45 percent of reporting organizations saying the root cause of their breach was a criminal attack, and another 12 naming a “malicious insider.” On the BA side, 39 percent pointed to a criminal attack and 10 percent to a malicious insider.

Criminal Details

The percentage of criminal-based incidents is even more alarming. For BAs, 82 percent saw Web-borne malware attacks as causes for security incidents. The number was 78 percent for covered entities.

Breaches have grown to the point where they are an everyday occurrence. A full 87 percent of BAs reported that their organizations had experienced electronic information-based security incidents over the past two years. That number was 65 percent for healthcare organizations. When it comes to paper-based security incidents, 41 percent of BAs and 54 percent of healthcare organizations experienced these events.

Solutions providers should take notice, as the survey also indicates that many of the vulnerable organizations have neither the budget nor the resources to protect both electronic and paper-based protected health information (PHI). A lack of funding and resources was named by more than 50 percent of both BAs and covered entities.

Risk To The Patient

At the same time, the most vulnerable party, patients, are not having their needs addressed. This is despite the fact that identity theft of the medical variety is one of the most difficult and expensive to recover from.

Theft of medical identities has almost doubled over the last five years, now affecting more than 2.3 million victims as of 2014. Victims are left paying an average of $13,500 in the process of restoring their credit, reimbursing providers, and correcting inaccuracies. Still, almost two-thirds of covered entities and BAs offer no protection services for patients whose information has been breached.

Moving Forward

According to Carmine Clementelli, security expert with PFU Systems (a Fujitsu company), forward-thinking institutions need to do three things to avoid data breaches.

“Prevention is as key to data security as it is to health, and new proactive monitoring works in concert with existing policies and systems to ensure the safety of BYOD, and let hospitals and health-sector organizations manage who and what is on the network, without introducing network complexity or constricting personnel policies. Self-assessment — in terms of next gen security — includes behavioral traffic analysis and advanced intrusion prevention to monitor the network's health, and detect the viruses and malware that thieves use. The third step is basic hygiene. Fortunately, managing applications, permission policies, and risk levels at the data and subnet levels is easier for IT than it’s ever been, thanks to breakthroughs over the last year.”

IT Solutions Providers Highlights

  • BA perceptions of privacy and data protection: page 4
  • Security threats that most worry BAs: page 11
  • Security incidents experienced by BAs: page 12
  • Causes of organizational breaches and types of patient data successfully targeted: page 16
  • Harms suffered by patients after lost/stolen records: pages 19-20
  • Trends in the nature of the breach incident: page 24