Health care data security breaches in the U.S.
Kevin Prince, chief architect, Perimeter eSecurity
The data breaches noted below include compromised personal information useful to identity thieves, such as Social Security numbers, account numbers and driver's license numbers. Some breaches that do not expose such sensitive information have been included to underscore the variety and frequency of data breaches. The breaches posted below include only those reported in the United States. This data is based on a survey conducted by www.infosecurityanalysis.com and verified on the Perimeter eSecurity Network. To view all of the data discussed in this study in chart form, please visit: www.perimeterusa.com.
What is a data security breach?
Nearly all organizations maintain records of their customers and employees. A data breach occurs when that information falls into the wrong hands or is extracted, viewed, or captured by an unauthorized individual. The following are some examples of data breaches that have happened in just the past few years: a hacker compromises a firewall and downloads patient information from a database server; employee information not properly disposed (thrown into a dumpster or not shredded); sensitive data transmitted via email to unauthorized users; a malicious employee copies data to a thumb drive and takes it home; a laptop with customer or employee data is stolen; or an untrained employee inadvertently posts sensitive information to a public forum or website.
According to laws in 40 states, when a data security breach occurs, notification must be made to the affected individuals. Depending on the size and scope of the breach, notification can be handled in a variety of ways, including by mail, telephone, email or through the news media.
When a data security breach is discovered, and subsequent notifications are made, some organizations maintain records of those breaches, whereas others take the data and correlate it, add to it and present findings. The data captured varies based on the organization that collects it. Some only capture data for U.S.-based security breaches; others cover the globe. Most capture the name of the organization and number of records compromised. Some capture vertical, breach type, data type, and other interesting meta data. Often, the exact number of compromised records or number of affected individuals is unknown, making it difficult to quantify security breaches.
Part of the research done for this study included an attempt to look up the number of compromised records in cases where that information had not been disclosed. There were only a few cases where data was available. In one incident we discovered a total of 14 records compromised; in another case, 1.1 million records were part of the disclosed incident. This illustrates the diversity of these types of incidents. The 24 percent that is unknown could account for little in the number of total records lost, or it could be the equivalent of many multiples of the 24 percent we know about.
Data breach disclosure laws
California Bill SB 1386 was signed into law by Gov. Gray Davis on September 25, 2002, and filed with the California secretary of state the next day. The law became operative on July 1, 2003.
This personal information privacy law requires any organization (state agency, person or business) conducting business in California and processing personal information for California residents to disclose any information security breach to those California residents whose unencrypted personal information was obtained by an unauthorized person.
Notifications can be delayed if law enforcement determines it could hinder a criminal investigation. SB 1386 will preempt all local regulation of this issue. The primary requirements, as listed within the regulatory text, will require:
(a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(b) Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.
What is personal information?
California defines personal information as a person's first name or first initial and last name in combination with any one of the following when at least one of the pieces of information is not encrypted:
- Social Security number
- Driver's license number or California Identification Card number
- Account number, credit or debit card number, in combination with any required security code, access code, or password that allows access to a financial account
Personal information does not include information that is publicly and lawfully available from federal, state, or local government sources.
The goal of the Health Insurance Portability and Accountability Act (HIPAA) is to protect patients' privacy and simplify the administrative processes. Information security considerations are involved throughout the guidelines and play a significant role in complying with the Privacy Rule. The purpose of this rule is to secure personally identifiable information (PII) as it travels through the healthcare system. Healthcare organizations, including providers, payers, and clearinghouses, must comply with the Privacy Rule.
To help health care organizations comply with the Privacy Rule, security standards have been developed to help organizations protect PII. These standards encompass administrative procedures, technical security mechanisms and services, and physical safeguards. Failure of health care companies to comply with the security standards outlined by HIPAA may not only result in regulatory actions, such as fines, but also direct business loss from lawsuits, damage to reputation, and degradation of the public's trust.
Individuals affected by data breaches that meet the personal information definition and notification requirements must be notified by using one of three methods: written notice, electronic notice with customer's consent, or substitute notice (developed to handle large/costly breaches).
Potential issue: Several states do not require organizations to notify consumers of a breach if there is no “reasonable likelihood of harm” to the individual. The definition of reasonable likelihood is open for interpretation by the breached organization.
Notification requirements are vaguely defined in most legislation, except Florida and Ohio (45 days after the security breach). Many use the California definition of “the most expedient time possible and without unreasonable delay” and include provisions for the needs of law enforcement.
Potential issue: The term unreasonable delay is subjective. It may take months for an organization to fully assess the impact of a large breach.
Among the states, encryption of customer data generally provides an exemption to disclosure requirements. Security professionals and computer engineers know that encryption is not the end-all to protecting data; it's designed to prevent unauthorized persons from accessing that data. If a hacker can fool a system into recognizing him or her as an authorized user, the hacker will gain access to the data.
Security of encryption keys is also very important; if the keys are stolen along with the data, then the hacker can gain access to the information. These gaps were apparently being considered in Pennsylvania when Senate Bill 712 was passed. That bill states, "An entity must PROVIDE NOTICE OF the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption keys."
Kansas, Colorado and Delaware are among 18 states that have provisions exempting companies from disclosure if, upon investigation, it is believed that the stolen data will likely not be misused. Companies should be cautioned against relying too heavily on such a provision. For one thing, how can the hacker's intent be proven? In addition, there is a clear conflict of interest for a company to conduct its own investigation to determine whether or not the stolen data will likely be misused. The risk, then, is creating a negative public perception of the company.
Half of the states with data breach laws specifically mention data redaction as offering an exemption to disclosure requirements (as is the case in Arizona's Senate Bill 1338). An example would be to edit (redact) a credit card account number so that it would no longer be a true account number. The lesson here is to use only nonpublic personal information (NPI) when it is critical to do so. For example, many companies use internally developed customer identification numbers rather than Social Security numbers to track customers. This meets the needs of businesses while at the same time reduces data security risks.
As noted earlier, information breach notification laws are not limited to electronic data. A handful of states, including California, New York, Utah, Vermont and Virginia, have laws specific to the secure disposal of NPI on paper. Many companies nationwide provide secure document disposal services.
Most states that have information-breach-notification laws hold businesses liable for the security of NPI, yet only 22 apply the same requirements to their own government agencies. That means 11 states — Alabama, Colorado, Georgia, Maine, Minnesota, Montana, North Carolina, Oklahoma Texas, Utah, and Vermont — gave themselves a pass on their own laws. A caution for the would-be hacker: Several states have made it a criminal offense to steal somebody's identity. Arizona House Bill 2484, for example, makes identity theft a felony.
The security breach disclosure bandwagon
Following high-profile data security breaches in 2005 at ChoicePoint (where 163,000 records were compromised) and CardSystems (where 40,000,000 records were compromised), many states began using California SB 1386 as a model for developing their own data security breach disclosure laws. Today, 40 states in the country have passed data security breach disclosure laws, each with its own distinct notification requirements. An interactive map with a summary of state-by-state disclosure laws is available online.
New legislation in the pipeline
A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
AB 1298 is an extension of the financial data breach notification law SB 1386, which has been partially responsible for influencing nearly 40 other states to adopt similar legislation over the past five years. SB 1386 is widely interpreted as applying to non-California entities that hold customer records about California residents. The new law requires all state agencies and companies that conduct business in California to notify residents when a breach of their medical information occurs. To warrant notification, a name must be associated with the data; Social Security numbers do not have to be present. The new law also restricts organizations from disclosing personal health information without patient consent.
Robert Booz, a vice president of research at Gartner, anticipates that this law will expand the healthcare industry's concern for privacy and security, and influence other states to adopt legislation—if for no other reason than to demonstrate good public policy.
In the short term, California-based health insurers and others who hold medical records must revisit their privacy and security standards. “They need to implement proper security measures, like encryption,” Booz says. In addition, the law will require a new level of investment in training for customer service, sales, and other externally facing operations.
Data security breach trending
The data used to extrapolate the charts, graphs, and representations for this study is by its very nature misleading. A clear growth pattern from the year 2000 through 2006 with a slight dip for 2007 emerges on careful review of the data. The California SB 1386 legislation went into effect in mid-2003, the first state to adopt such legislation. Eleven additional states adopted similar legislation in 2005. Seventeen more states came on board in 2006 and five additional states in 2007, with several already added to the books for 2008. This information correlates closely with the years when state laws went into effect regarding data breach disclosure.
Data breach incidents haven't just begun to occur in the past few years, rather the requirement to disclose those events give a first view into the nature and severity of the problem. Publicly known data breaches prior to these laws going into effect are nearly all known as a result of fraud committed using the data, or by media leaks.
Though the total number of incidents dropped slightly from 2006 to 2007, the number of records compromised across all known data breaches in the United States shows a continual increase over the past several years. The average number of records compromised in a single incident is 431,077 (which encompasses more than three hundred million records across 711 data security breach incidents in the U.S. between 2000 and 2007 where the number of records breached was known). Twenty-two incidents include more than one million records compromised, with several being in the tens of millions. Nearly 100 of these same events had fewer than 1,000 records compromised, with more than two dozen being in the double digits.
Over the years, there were some significant incidents making the number as large as it is. The following list includes some incidents that have become household names:
- U.S. Department of Veterans Affairs – 5/22/06 – 26,500,000 records
- America Online – 6/24/04 – 30,000,000 records
- CardSystems (Visa, Mastercard, American Express) – 6/19/05 – 40,000,000 records
- TJX Companies – 1/17/07 – 94,000,000 records
Types of data
Organizations store a lot of information, both electronically and on paper. The value of this data can vary. For example, a Social Security number or credit card number by itself has little value. When combined with the full name, or even the partial name, of the owner, the number becomes valuable. Other types of data alone, or in combination, have varying degrees of value to a perpetrator of fraud. Social Security number (61 incidents) is by far the highest for its inherent flexibility. Fraudsters can use that number to assume a victim's complete identity, open accounts and obtain loans.
Compromised records from health care organizations between 2000 and 2007 totaled 3,253,633 (one percent of the U.S. population). Medical information was quite low; however, that is likely due to the current lack of laws in most states that would require disclosure of this type of data.
Incidents by industry
Health care companies are responsible for 11 percent of all data breach incidents in the U.S. between 2000 and 2007. Although educational institutions have a greater number of incidents/records lost, health care ranks number two.
Business — as it is identified in one set of raw datail — had the greatest number of incidences at 311 (which isn't surprising when that category includes retail and financial institutions); education ranked second at 281 incidents; government came in third with a total of 245 incidents. Health care had a total of 108 incidents.
Education ranks quite high in total number of incidents but only accounts for 2 percent of all records compromised. Health care has a similar number records compromised, but accomplishes it with one-third the incidents.
Companies put into the business category account for 77 percent of all records compromised the largest of any group. Government accounts for 19 percent of all records compromised.
It should be noted that although records have been kept regarding publicly disclosed security breaches since 2000, there are no security breaches reported prior to 2004 for health care organizations.
Since 2004, there has been a 10 times average increase in records compromised year over year with the exception of 2007, which had fewer records compromised but more incidents than 2006. The 2007 numbers are likely skewed because nearly one-third of the incidents did not include the number of records compromised. The Perimeter eSecurity Security Operation Center (SOC) has been following a trend where health care customers have seen the number of security events generated from intrusion detection systems triple (on average) in the last six months.
Between 2000 and 2007, nearly half of all health care security incidents that occurred in the U.S. were associated with hospitals. Although hospitals seem to have more than their fair share of incidents, the story is quite different when compared with total records compromised.
Between 2000 and 2007, 40 percent of publicly known security incidents at health care organizations are classified as data breaches. Data breaches are always malicious in nature, whereas data breaches from laptops being stolen (22 percent of incidents) aren't as clearly defined. Perhaps the perpetrator was after the sensitive information on the laptop (which can be the case when a laptop is missing from an office), but often theft of portable electronics is for the value of the asset and not what is on it (as in many cases of stolen laptops from cars, hotels, etc.). However, because the data was exposed to an unauthorized person, it is classified as a data security breach incident. Those incidents that cause data exposure (27 percent of incidents), however, were rarely done with malicious intent. This type of data breach incident is often caused by untrained or careless employees; sometimes the computer or other system has a glitch, and inadvertently exposing sensitive data.
Although data breaches (hackers, malicious employees, social engineering, etc.) only constitute 40 percent of incidents, they account for 57 percent of all records compromised, nearly two and a half times the next closest category. Similarly, though data exposure accounts for 27 percent of all incidents, it only amounts to 4 percent of all records lost.
Spending time and money on training, policies and procedures, and enforcement will reduce security incidents. Even the loss of a handful of records can result in negative media exposure, eroding your company brand, customer trust and loyalty, and eventually your bottom line.
Data breach sources
This section will analyze the source of data security breach incidents and how they relate to total records compromised. The source of data security breaches are broken into the following segments:
- Careless/untrained insider
- 3rd party fault
- Malicious insider
It might seem strange that theft is more than one-half of all incidents, and yet, in the previous section, data breaches are listed as the leading category of a data security breach. The reason for this is that theft can have different intentions and lead to a variety of uses, many of which won't be known. For example, a person who steals a laptop from an automobile may want it for personal use or to sell to a pawn shop. He may have had no intention of looking at the hard drive for data that could be used to perpetrate identity theft. Or that may be the very reason he stole the laptop. Perhaps when it ends up at the pawn shop, the owner discovers this data and uses it for fraudulent purposes. Perhaps the person who buys it from the pawn shop uses the data for criminal purposes. The point is that when theft occurs, it must be assumed the sensitive data will be used for a malicious purpose, therefore it is classified (in most cases) as a data breach.
To identify a data breach to be in large part due to theft gives health care organizations some direction when writing and enforcing their policies and procedures. For example, because organizations get a “pass” on encrypted data (in all but two states), health care should invest in technology that encrypts the hard drives of all laptops, even those that will not be removed from the facility. This single change in policy and procedure (if executed) would cut in half the number of security incidents.
Although only 10 percent of incidents occurred as a result of a malicious insider, it accounts for nearly a quarter of all the records compromised. Many organizations do not understand the damage that can be caused by a malicious employee.
Data location at time of breach
The location of the data at the time of the compromise is a statistic worth reviewing. Although with 31 percent of incidents, it is not specified whether the data was inside the secured facility or outside, the remaining 69 percent is telling. This again speaks to the need for strong policies and procedures. If organizations did not allow sensitive data to leave their facility without being encrypted (for electronic data) or disposed of properly (for physical data), it could eliminate nearly a quarter of the incidents they would face.
Granted, strong, enforced policies and procedures aren't enough to stop all incidents. This is where technology solutions can be implemented to mitigate the risks. For example, when an employee inadvertently sends an email with sensitive information, that is considered a security breach. However, if the organization has implemented an email content filtering solution that captured and quarantined that email, the incident would have been averted. There are many ways secure, sensitive data that can “leak” from an organization. Fortunately, there are many solutions to address the variety of ways this can occur.
Security breach impact on public companies
There are four public health care companies that have had data breach incidents during 2006. One of the companies had two data security breaches, making a total of five incidents. These five incidents accounted for about five percent of all health care incidents between 2000 and 2007; however, these five incidents accounted for over 10 percent of the total records compromised.
When looking at stock charts for public companies when the security breach occurred, it is often impossible to tell whether any impact to the stock (good or bad) was from the security incident. In two cases, there seems to be a sudden drop at the time the breach was announced, while the other times seemed to have no effect. In the case of Aetna, where they had two incidents within the same year, the first breach resulted in the compromise of 39,000 records. The stock chart shows a significant drop shortly after that time. The following incident resulted in 10 times the number of records being breached, and yet there seems to be no effect on the stock.
The impact on high-profile data security breaches seems more quantifiable. There was a 20 percent drop in the TJX Companies stock within weeks of the data security breach that included the compromise of 94 million records. This did, however, appear to be a temporary drop in that the stock had recovered 75 percent of its losses within three months and fully recovered within about seven months.
Some believe that this data security breach will cause TJX Companies to go out of business or be forced to merge with another company. TJX has reported that it has now spent or put aside approximately $250 million in connection with the incident.
Less obvious is Time Warner/AOL where a noticeable decrease occurred post compromise of 30 million records; however, within two months, the stock was at one of its highest points ever. Therefore it would seem that the media, customers, and employees all have short memories when it comes to security breaches.
Sometimes, insider trading is the cause of a sudden drop in stock price, when executives and employees believe there will be a large fallout from a security breach that has not yet been made public. For example, from a CNN report:
“The chairman and the president of ChoicePoint — under fire for allowing phony businesses to buy access last fall to their database of personal information on consumers — have between them sold almost 500,000 shares of company stock for a profit of $17.6 million since November, according to Securities and Exchange Commission filings.”
Security breach impact on small companies
It usually isn't the fear or reality of public backlash that concerns companies; rather, it's the hard and soft costs associated with recovering from a security breach. A McAfee security study, reported in an Information Week article titled “Companies Say Security Breach Could Destroy Their Business,” found:
- One-third of companies polled said that a major security breach could put their company out of business;
- A data breach that exposed personal information would cost companies an average of $268,000 to inform their customers—even if the lost data is never used;
- 61 percent of respondents said data leakage is the doing of insiders, and 23 percent said those leaks are malicious;
- 46 percent said they don't debrief or monitor employees after they give notice that they are leaving the company;
- 23 percent said they were able to estimate the total annual cost of data leakage, putting the figure at $1.82 million.
There have been cases where a security breach does cause a small health care company to go out of business. Verus Inc., for example: “Medical IT Contractor Folds After Breaches – Blamed for privacy breaches at five different hospitals, Verus Inc. silently closes its doors.”
Cost of a security breach
The costs of recovering from a security breach vary depending on the type of company or industry, the circumstances surrounding the security breach, type of data compromised, liability, and so on. Many organizations are required by federal law to perform risk assessments to determine their exposure to a variety of threats and risks. To perform a comprehensive risk analysis, an organization needs to know what it would cost to recover from a given compromise. Here are a few items from the news that relate to the cost of recovering from a data security breach.
- Visa and TJX agree to provide U.S. issuers up to $40.9 million for data breach claims.
- ChoicePoint settles data security breach charges; to pay $10 million in civil penalties, $5 million for consumer redress. At least 800 cases of identity theft arose from company's data breach.
- Hannaford Bros. Co. already has been hit with two class-action lawsuits filed on behalf of consumers whose credit and debit card numbers were compromised as a result of a major security breach.
- Data breach incidents cost companies $197 per compromised customer record in 2007, compared with $182 in 2006.
- A breach that exposes 46,000 identities will cost an organization $7.6 million on average.
- Forrester recently surveyed 28 companies that had data breaches and estimated that such a breach will cost an organization between $90 and $305 per exposed record, depending on the public profile of the breach and the regulations that apply to the organization.
- The average total cost per reporting company was 4.8 million per breach and ranged from $226,000 to 22 million.
- Direct incremental costs averaged $54 per lost record, which included free or discounted services offered, notification letters, phone calls, and emails, legal, audit, and accounting fees, call center expenses, public and investor relations, etc.
- Lost productivity costs averaged $30 per lost record.
- Customer opportunity costs averaged $98 per lost record.
- Customer turnover averaged 2 percent and ranged as high as 7 percent.
- The cost of new preventative measures averaged 4 percent of the total breach cost, or $180,000 on average.
- Many companies had to subscribe customers or employees to free credit monitoring services that ranged from $10 to $25 per month/customer or employee.
To use an online calculator to arrive at an estimated cost of a breach based on the number of records exposed, visit this website.
Record format at time of breach
It is interesting to review the percentage of records that were in electronic versus paper format at the time they were compromised. For example, the financial industry has a significant portion of data breaches from paper files. In the health care industry, respondents said records were either in an electronic format at the time the breach occurred or they did not specify. Of all records compromised in the U.S. health care industry between 2000 and 2007, only 7,250 records were in printed format. Clearly, additional focus needs to be on policies, procedures, and technologies that can help mitigate the risk of electronic records being exposed and compromised.
According to the PGP Research Study, nearly 90 percent of all data breaches were in electronic form.
Health care organizations have done better than many other industries regarding the number of data security breach incidents and total number of records lost. However, enhanced disclosure laws for health care organizations and modern tactics used by attackers and malicious insiders to compromise data are forcing these businesses to take a new and deeper look at IT security.
Health care organizations are now being audited like never before, and regulations such as PCI are impacting what these companies must do to be safe and compliant. Healthcare organizations think of risk and security more broadly than many other industries. They have to keep babies from being kidnapped and drugs safely locked away. Access to secure areas and records must be tightly controlled. Now a greater emphasis will need to be taken on data security measures that touch all aspects of the health care business. Done proactively, a health care organization will be able to focus on its core business. The alternatives are far less pleasant.
Kevin Prince is chief architect of Perimeter eSecurity, a security software-as-a-service provider offering over 50 IT security services.
Click here for a fuller version of this report in PDF format, including charts and graphs.