What could feel more invasive than knowing your protected health information, also known as PHI, had been compromised?
Imagine this: learning that your organization had released hundreds, thousands, maybe even millions of pieces of PHI entrusted to customers and/or employees. If your head starts spinning through repercussions that include fines, lawsuits, and the likelihood that your business may never be the same again, you’re on the right track.
Whether by mistake or malicious intent, PHI breaches do happen, as a recent Verizon report lays out in eye-opening detail. The phone carrier well known for its annual Data Breach Investigations Report has released its inaugural PHI Data Breach Report. The new report details PHI breach trends involving more than 392 million records and 1,931 incidents across 25 countries.
Not Just Healthcare
Verizon’s analysis found that 90 percent of industries, or 18 out of 20 scrutinized in the report, have experienced a PHI data breach. Healthcare organizations unsurprisingly topped the list for number of breaches and records compromised, though other types of industry, such as finance, retail, and the public sector, were also represented.
What are these other industry groups doing with PHI? As the report points out, many types of industries deal with workers’ compensation claims, many of which invariably involve medical records. Company-managed wellness programs, too, are a potential source of PHI that some organizations might not even realize they have.
“The fact that an organization is not in the healthcare industry or isn’t a HIPAA-covered entity doesn’t mean that it’s not at risk of a PHI data breach,” the report authors write.
Just the Facts
Overall, the report found that nearly half the U.S. population has been impacted by a PHI breach of some sort since 2009. Of all the individual PHI breach incidents in the report:
- 45.4% were the result of lost or stolen assets, such as a laptop
- 20.3% were the result of privileged access misuse (insider misdeeds)
- 20.1% were the result of miscellaneous errors, such as sending an email containing PHI to the wrong person
In fact, these three actions comprised 86% of all the PHI breaches Verizon analyzed.
In the healthcare area specifically, the threat of PHI breach can damage doctor-patient trust. Existing data supports the notion that your average consumer’s trust in a retailer sinks after a data breach. Tragically, the Verizon report cites research suggesting patients sometimes will withhold medical information from their doctors for fear of exposing it to a breach.
“What many organizations fail to remember is that the data they collect is about the relationship they have with those data subjects,” the report authors write. “As reports of medical record losses continue to pile up, the trust between medical providers and their patients is being eroded.”
Fixing the Problem
Verizon’s report on PHI breach trends provides a somber picture of the state of things, though there is hope. The analysis shows that organizations handling PHI are detecting breaches faster than other industries and are shortening the amount of time between detection of a breach and counteraction. Additionally, U.S. fines and penalties for PHI breaches are increasing, strengthening the incentives for focusing on cybersecurity.
Though bad employees doing bad things can never be fully protected against, accidental asset loss and errors are prime opportunities for comprehensive security education programs. Understanding that most security blunders are preventable empowers you to put the necessary training, policies, and education in place to actually prevent them. Getting employees to recognize that cybersecurity is everyone’s responsibility is key to avoiding the nightmare of a PHI breach.
Whether through training on the basics of security, phishing and social engineering, or HIPAA compliance, employee education that puts them face-to-face with real-life examples to see how they navigate situations is vital. Implement an education program early, and reinforce the principles often.
It’s just what the doctor ordered.