Data Breaches: 10 Years in Review
By Rick Kam - Article on July 10, 2013
Over the past 10 years I have seen many organizations experience a breach of PII and PHI. Many companies now realize that breaches are something that can happen to them, not just “the other guy.” This awareness has increased at all levels, from consumers to the executive suite, due in part to legislation like HIPAA, HITECH, Red Flag, and state data breach notification laws that require disclosure and corrective actions.
We created an infographic to illustrate A Decade of Data Breach: http://www2.idexpertscorp.com/a-decade-of-data-breach/
The type of data breached has also evolved from PII to now include PHI, specifically health insurance numbers to commit medical identity theft and healthcare fraud. Every study we see on this topic indicates that the significant value of healthcare data—$50 a record on the black market—to bad actors, along with the complexity of securing the healthcare ecosystem, makes it vulnerable to these kinds of crimes.
“Identity theft will not go away until the issue of identity is solved,” saysRobert Siciliano, CEO of IDTheftSecurity and a personal security and identity theft expert.“‘Identity-proofing’ consumers involves verifying and authenticating with numerous technologies, and the flexibility of consumers to recognize a slight trade-off of privacy for security.”
According to Robert Siciliano, and other leading industry experts, the frequency, severity, and impact of data breaches are expected to escalate; and forecast the top trends in data breach, privacy, and security here.
On the Horizon: The Next Big Data Breach
Moving forward, I believe the “next big data breach” will come from healthcare, thanks to the consolidation of millions of EHRs in Health Information Exchanges. The stimulus money that funded the deployment of HIEs in every state is drying up, forcing these exchanges to fund operations in ways that will increase business risk and the potential for large data breaches.
Jim Pyles, an attorney friend with more than 40 years of experience in health law and policy, put it best. “The electronic health information privacy breach epidemic is an unanticipated ‘game changer’ in that health information can be stolen from anywhere in the world, distributed to an infinite number of locations for an infinite period of time and can cause limitless damage,” he says.
TheThird Annual Benchmark Study on Patient Privacy and Data Security indicates that organizations are not protecting sensitive information as well as they could. Healthcare entities need to operationalize incident response to better respond to data breaches and protect patient privacy.
On a regulatory level, Medicare numbers must be changed from a person’s social security number to something unique. Other parts of the healthcare ecosystem have done this to protect patient privacy. Industries such as education have also removed SSNs as identifiers.
Data breaches are a fact of life for organizations. Measures must be taken at all levels, from proactive efforts by consumers to holistic prevention and response strategies by executives and regulators. Together, we can overcome the causes and consequences of the everyday disaster we call data breaches. For more information on the landscape today and the outlook for the next decade, read A Decade of Data Breach: Tracking an Evolving Threat, a Q&A with me, James Christiansen, chief information risk officer at RiskyData and Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.