The recent spate of cyberattacks on retailers, including Target, has scared shoppers and triggered debates in Congress about whether consumers’ data is being properly protected. Despite its security flaws, the retail sector isn’t the industry most vulnerable to breaches. That dubious honor goes to health care.
A recent study found that the health-care sector suffered the highest share of attacks in 2013, overtaking the business sector for the first time in almost a decade.
The Identity Theft Resource Center, a nonprofit organization that tracks data theft, reported that health-care organizations suffered 267 breaches last year, or 43 percent of all attacks in 2013. That’s significantly higher than the business sector (comprising retailers, tech companies and others), which suffered 210 attacks, or 34 percent of all breaches. The financial sector was hit by 23 breaches, or 3.7 percent of all attacks.
Unfortunately, the numbers don’t come as a surprise. In 2012, a Washington Post investigation found that the health-care sector was far behind in addressing basic security flaws.
One caveat: The health-care number may be high because of a 2013 federal regulation that requires companies to publicly report breaches affecting 500 or more people. So there may be more data out there on health-care breaches than there is on, say, retail attacks.
But there’s no doubt that the number of data breaches across sectors has increased. Since the ITRC began tracking figures in 2005, the number of reported breaches is up nearly 300 percent. In 2013, the number of breaches was 30 percent higher than in 2012. And the leading cause of stolen data last year was hackers.
Why would hackers want to steal your medical records? Well, there’s no limit to the uses they could put them to, according to Sam Imandoust, legal analyst at the ITRC. They could steal your identity using the sensitive data contained in medical records, abuse prescriptions to buy narcotics or sell your information on the black market.
“If you have someone’s medical records — with their name, social security number and everything else — you can commit any other kind of identity theft,” Imandoust said.
Most of the health-care breaches in 2013 happened at the state level, at hospitals and insurance providers. California was hit by some of the biggest breaches. More than 700,000 patients’ records were compromised when two laptops were stolen from an AHMC Healthcare office near Los Angeles. In New Jersey, more than 830,000 records were stolen in a similar theft at Horizon Blue Cross Blue Shield.
This all means that the conversation about protecting consumer data is likely far from over.