It appears that companies don’t have to be in the healthcare business to suffer a health information breach. About 90 percent of all industries have had protected health information compromised, according to Verizon’s PHI Data Breach Report 2015.
More than 392 million PHI records have been disclosed from non-healthcare businesses, according to the report, but the actual total could be much higher since 24 percent of the breached organizations did not provide an exact number of records involved.
Industries with the most PHI data breaches, not including healthcare or government entities, are finance and insurance, education, retail and professional services, such as law offices and tax preparers, according to Verizon.
“I was surprised, but it does make some sense because most every organization has things like their workers’ compensation data or employee wellness programs,” says Suzanne Widup, lead author of the report. Some companies are managing their own employee health benefits programs and are becoming custodians of more healthcare information than ever before, she says. Information security teams “may not even realize they have this kind of information in their organization until it gets breached.”
Companies that are the victims of a PHI breach could face regulatory fallout and other negative consequences. “Criminals are finding ways to monetize health information more than they have in the past,” says Rob Sadowski, director of technology solutions at RSA, the security division of EMC. “It’s very plausible” that personal health information can be stolen and sold to uninsured people, used to get medical supplies and equipment that can be resold or used to submit fake insurance claims – “depending on the type of data they’re able to get,” Sadowski adds.
HR departments gather and store much of the PHI data and need to review their processes for securing PHI, Widup says. HR functions that are outsourced to third parties should also be looked at, especially after several highly publicized data breaches involved vendors or contractors.
Protected health information is defined as personally identifiable health information collected from an individual, and covered under one of the many state, federal or international data breach disclosure laws. The main criteria is whether there is a reasonable basis to believe the information could be used to identify an individual.
PHI also goes beyond just medical records and includes email addresses, vehicle license plate numbers, biometric data like fingerprints, retinal scans or voice prints, and even full facial photographic images that have unique identifying characteristics.
Even certain combinations of seemingly harmless information can coalesce to become personally identifiable health data, Widup says. She has seen breaches where emails were sent advertising a wellness program regarding a certain condition, and the email addresses were exposed instead of being hidden in the BCC field. “That ends up being a breach because suddenly all these people know all these other people who have this condition,” she says.
Sign up for CIO Asia eNewsletters.