Main HIPAA Breach Threat is Human Error Says New Report

The Protected Health Information (PHI) held by health plans and healthcare providers is of high value to thieves, and cyberattacks are on the increase; however the main HIPAA breach threat is human error, according to a new report by Baker Hostetler.

The data for the report comes from an analysis of over 200 data security incidents that were reported by the company’s clients, which spanned a number of different industries. The company found that the healthcare industry suffered the majority of breaches, although data was also included from the finance, insurance, retail, technology, hospitality and entertainment industries.

Employee Negligence is the Main HIPAA Breach Threat

Earlier this week, a report was released by the Ponemon Institute which attributed the main cause of HIPAA breaches to criminal activity, either in the form of cybersecurity attacks, theft of equipment for the data it contained and insider theft of PHI.

The Baker Hostetler report gives a different view, showing for the firm’s clients at least, the main root cause of data breaches was employee negligence, which accounted for 36% of the reported security incidents. Data theft by external third parties – which included hackers – accounted for just 22% of breaches, while malware caused 16% of breaches and phishing attacks were responsible for 14%.

Combine the figures for external attacks by hackers with malware and phishing and it comes to 52% – over half of the reported incidents – confirming the Ponemon Institute findings that crime is the root cause of the majority of HIPAA data breaches.

Healthcare and Finance Industry Likely to Report More Data Breaches

The report points out that due to the Health Insurance Portability and Accountability Act (HIPAA) – which places strict reporting requirements on Covered Entities (CEs) – the likelihood of a healthcare data breach being reported is much higher than in industries that are not as well regulated. This could, in part, account for the higher proportion of security incidents reported by the industry. The same is true for the financial industry.

The report says, “Incidents affecting these sectors often require forensic investigation and draw more media coverage, the cost and potential financial consequences are dramatically higher on a per-incident basis.”

Since criminal activity was behind the majority of security incidents, and given that healthcare providers and insurers hold large volumes of highly valuable data, the high healthcare data breach figures likely reflect an increase in criminal activity, with data thieves now switching from obtaining credit card numbers from retailers to PHI from the healthcare industry which offers higher rewards.

In addition to reporting on the causes of data breaches, the firm suggests that a rapid breach response is critical. The report provides four reasons why it is essential for any organization suffering a data breach to take fast action:

Why a Fast Data Breach Response is Essential

  1. To avoid a missed opportunity to prevent data from being stolen
  2. Forensic data may be lost relating to the incident, this information could help lead to the identification of suspects or to determine exactly what data was compromised
  3. The incident may be reported to the media before the company has issued a statement
  4. Being caught by surprise invariably involves an organization being placed under pressure and even closer scrutiny.

The Breach Response under HIPAA

Under HIPAA Rules, covered entities must respond promptly to data breaches and they can be penalized for a slow breach response. CEs must report data breaches within 60 days of discovery of the data breach, which includes notifying all patients affected, which must be done without “unnecessary delay.”

In order to be able to do this, a forensic analysis must be conducted to determine the data that was accessed – or potentially accessed – to determine which individuals must be notified and this can take time to complete. It is therefore essential that the process is started promptly. For that to happen, a tested breach response plan must be in place.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of