PHI breaches not limited to healthcare organizations

In a report set to be released in full next month, Verizon Enterprise Solutions examines the scope and impact of protected health information breaches since 1994. Author Suzanne Widup and her colleagues analyzed 1,931 incidents involving more than 392 million records, but perhaps more surprisingly, discovered that 90 percent of industries--including nonhealthcare industries--have experienced such a breach.

In an interview with FierceHealthIT, Widup said what gave her the most pause was that diversity of industries impacted beyond healthcare. The public sector, she said, was especially represented in the findings.

"I expected healthcare, for course; it's obviously going to have this kind of data, and there are a few other connected industries that you expect to have it, as well," Widup said. "But the fact that 90 percent of the industries are represented speaks to the fact that there are probably a lot of organizations that really don't understand that they have this kind of data. A lot of them are focused on the kind of information that's coming in from their customers."

To that end, Widup noted, PHI in such settings frequently was about employees.

"It's worker's comp data, wellness programs, organizations that manage their own employee benefits programs, those sorts of things," she said.

Insider abuses outweighed external breaches, according to Widup, likely due to the fact that internal actors don't have to jump through the same hoops as outside attackers.

"They're already inside the perimeter," she said. "But also, a lot of times, these insiders have access to this kind of information just as part of their job. It may be that when they decide to start taking information in a way that's outside of their job duties that it's not as easy to detect because organizations think those people are naturally supposed to have successful access. It's not something that's going to raise as many red flags."

One of the most dangerous side effects of such breaches, according to Widup, is the potential of a chilling effect on patient relationships with their doctors. For instance, she said, if a patient has a communicable disease, but diagnosis and treatment are delayed because that patient fears their information might be breached, it quickly could balloon into a public health issue.

Widup noted that although 25 nations are represented in the report, 87 percent of the incidents impacted the U.S. Despite that figure, she said other nations still must remain on guard.

"This doesn't make cybersecurity nonactionable for other countries," she said. "We consistently found that the attackers are not taking into consideration the country where the data is located. Instead, they're far more interested in how it's stored, whether or not they can get their hands on it and what kind of data it is. Ease of access is a very big driver."