What is a Health Data Breach?
A data breach is an incident that results in the exposure of confidential, private, protected, or sensitive information to a person or entity that was not authorized to access it. A data breach can be caused by actions that were either accidental or intentional. Some examples of data breach causes include:
Accidental insider. An example of an accidental insider would be an employee who left files unlocked at their workstation and then those files were read by a co-worker. While the access was unintentional and there was no information collected, the unauthorized access is considered a data breach.
Malicious insider. An example of a malicious insider is a disgruntled coworker who intentionally accesses data and then shares that data with the intention of causing harm to an individual or the organization. While the insider had authorized access to the data, they exposed the data with malicious intent.
Malicious outsider. An example of a malicious outsider is a cyberattacker who accesses data without authorization. Popular methods used by cyberattackers include phishing, brute force attacks, and malware.
Stolen or lost devices. Any unencrypted or unlocked laptop, mobile phone, USB, tablet, CPU, external hard drive, or any other device containing sensitive data that is stolen or lost, can be considered a data breach.
Healthcare data breaches have been increasing in number and scope, with data breaches of 500 or more records being reported at a rate of around 1.95 per day in 2021.1 Cyberattackers find healthcare data more valuable than other data types as they often contain all of an individual’s personally identifiable information, as opposed to other data types that may only contain a few elements. According to a Trustwave report, a healthcare data record may be valued at up to $250 per record on the black market, with the next highest value record (a payment card) receiving only $5.40.2 Common vulnerabilities targeted by malicious actors include:
- Weak credentials
- Stolen credentials
- Payment card fraud
- Third-party access
- Mobile devices
When malicious actors obtain the data, they can use it to:
- Withdraw money from your banking and investment accounts
- Open and use new credit cards under your name
- File tax returns in your name and obtain the tax refund
- Get medical treatment using your health insurance
- Apply for government benefits
- Open utility or telecommunication accounts
- Steal and use your credit card rewards
- Sell the data on the black market
When a health data breach occurs, the HIPAA Breach Notification Rule requires that covered entities and their business associates report breaches of unsecured protected health information and physical copies of protected health information. A breach is defined as the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted by HIPAA Rules. All individuals impacted by a data breach, who have had unsecured protected health information accessed, acquired, used, or disclosed, must be notified of the breach. Breach notifications are also required for any individual who is reasonably believed to have been affected by the breach. Breach notifications should be sent by first class mail to the last known address of the breach victims, or by email if individuals have given authorization to be contacted electronically. Notification requirements also include notifying HHS and the media. in the event that ten or more individuals impacted in the breach do not have up-to-date contact information, a substitute breach notice must also be posted on the Home Page of the breach entity’s website.
1 HIPAA Journal, 2022, “Healthcare Data Breach Statistics”
2 Trustwave, 2019, “2019 Global Security Report”