Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, May 8, 2015

This time it’s crime: the lawlessness of health care data breaches

By Bryant Storm, J.D.

Criminal attacks are the primary cause of health care data breaches, according to the “Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data” by the Ponemon Institute, which was sponsored by ID Experts®, a data security and software company. The study revealed that the majority of health care organizations have faced “multiple security incidents” and nearly all health care organizations have experienced a data breach. However, despite the widespread impact of security threats, the study found that many organizations remain unprepared to protect patient data due to limited funds and resources. Additionally, the study revealed that for the first time, criminal behavior is the primary cause of security incidents in the health care industry.

Method. The study evaluated the breach incidents and preparedness of 90 health care organizations, including health plans, health care clearinghouses, and health care providers who qualify as covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191). The study also considered the exposure and preparedness of 88 business associates (BAs) of those organizations.

Findings. The study revealed that data breaches could be costing the health care industry as much as $6 billion each year. According to researchers, 90 percent of the organizations evaluated had experienced a data breach and 40 percent had experienced more than five data breaches over the prior two-year period. The study also estimated the average cost of a data breach on a health care organization as $2.1 million. Additionally, the average cost of a breach for a business associate (BA) was estimated to be over $1 million.

Cause. The research also examined the changing causes of data breaches. Specifically, the study identified that for the first time, criminal attacks have become the leading cause of health care data breaches. The evaluation found that criminal attacks in the health care industry rose 125 percent from their level just five years ago. Covered entities reported that 45 percent of breaches were criminal attacks and 12 percent were the result of the behavior of a malicious insider. Similarly, BAs reported that 39 percent of their breaches were caused by criminal attackers and 10 percent were due to malicious insiders. In terms of other criminal security incidents, 78 percent of CEs and 82 percent of BAs had security incidents resulting from web-borne malware.

Preparation. The risks are not altering the behavior of health care organizations. Although the threats are significant and dynamic, only 40 percent of CEs and 35 percent of BAs indicated that they were concerned about cyber attacks. Despite the relaxed preparation of many organizations, the research indicates that everyone is at risk and size is not a predictor of whether an organization will or will not be exposed to criminal security incidents.

Companies: ID Experts; Ponemon Institute

MainStory: TopStory ComplianceNews RiskNews ProgramIntegrityNews HITNews EHRNews HIPAANews

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.