Breaches of USA Medical Health Information

The U.S. Department of Health and Human Services Office for Civil Rights lists USA medical health information breaches affecting 500 or more individuals that occurred within the last 2 years and that are still under investigation.

The USA medical breach data for the last 2 years is displayed as a sortable list and can be downloaded as a Spread Sheet or CSV file  for further analysis.  At the time of writing there are 354 entries from 500 individuals affected up to 10,000,000 although with the latter being such a nice round number some rounding was probably involved.  The average number of individuals per case approaches 79,000.

The nature of private health care within the USA means that medical records could be accessed by many gateways.  For example a health care provider administering the care and the insurer (health plan) taking responsibilities for the costs.  With a national health service these would be the same body and hopefully share common security protocols.  The data indicates that the majority of breaches are, however, within the  provider rather than the insurer.

  • Healthcare provider: 283
  • Health plan: 51
  • Business associate: 19
  • Unknown: 1

Relying on a private health care system also requires financial as well as medical records to be kept.  These should be kept separate but medical identity theft may offer enough clues to access financial data.  This added incentive plus the wider range of services makes the USA medical information systems an attractive target for hackers.  Data security protection and exploitation will follow the same guidelines the world over so the causes of breaches would be of interest to anyone holding medical information. Looking at the numbers below hacking is the most common cause of breaches but accounts for a little under half the cases:

  • Hacking: 149
  • Unauthorised access: 126
  • Theft: 62
  • Loss: 9
  • Improper disposal: 8

The cases of theft refer to physical theft of a device that contains the data rather than virtual theft of data from a server or workstation.  9 of the cases of theft were from paper or film records and 10 from portable electronic devices.  The remaining thefts are either labelled ‘other’ or linked to theft of a computer or laptop.

Hacking is the hardest data breach to completely prevent.  Whatever methods are in place someone will be working on overcoming them, requiring a constant review of security procedures.  Kindus are in a position to offer confidential, bespoke advice on reducing the risk from hackers.  Instances of unauthorised access, theft or loss of physical data stores will be minimised by setting up good practice together with staff training to ensure that standards are maintained.  Identity theft, disgruntled or poorly informed employees are causes of leaked account details that will allow a criminal access to data by-passing any security measures that are in place as the system assumes that they are a valid user.  Kindus provide security audits and staff training to ensure that details of key accounts are not leaked.

Devices can be physically secured to reduce the risk of theft.  With network and cloud based storage there is less need to keep records on physical devices than in the past.  Where it is still required access to those devices should be restricted with strong encryption that prevents the data itself from being accessed by an unauthorised user or from unauthorised locations.

More from Pharmaceutical & Security

06/01/2025

Scam Promotions on Facebook

Web adverts promoting questionable offers and schemes are old hat.  Facebook is no exception but unlike wholly dubious hosts or otherwise reliable sites depending …

Read post

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories