Report: Government Leaks Protected Health Information Despite Easy Fixes

Verizon's latest report shows that nearly every organization public and private is vulnerable to the exposure of protected health information, despite access to controls designed to prevent such breaches.

by / December 16, 2015

When it comes to security, government keeps making the same mistakes, according to this year's Verizon Protected Health Information (PHI) Data Breach Report.

The report, which draws from 392 million security incidents and 1,931 data breaches across 25 nations, found that 90 percent of industries — even those not typically associated with health care —experienced PHI breaches. The public sector ranked second after the health-care industry for such breaches, despite access to rudimentary solutions that prevent those events.

Suzanne Widup, a senior security analyst at Verizon Enterprise Solutions and the report's lead author, said it's frustrating to watch government and businesses continue to make the same mistakes. Common causes of breaches in this sector include mis-delivery of mail or email, improper disposal of documents, and accidental publishing of data to public-facing websites.

"Devices being lost and stolen is a big problem ,and we see it come back year over year. It's one of those things where it's a solved problem in a lot of industries with encryption, so it's kind of surprising that this is still an issue," Widup said. "These are things that lend themselves well to quality control checks being put in."

A main theme of the 34-page report is that PHI breaches can affect almost anyone. The size of the organization matters little.

"A lot of organizations that might think they're too small to have a breach, they really need to change that thinking," Widup said, adding that the same can be said of the product or service being offered —all sectors are vulnerable. "It's not just customer data that's at risk for a breach. And for the organizations that don't have health care or insurance as a focus, most of this kind of data is actually coming from their employees, so it's worker's compensation claims, it's employee wellness programs."

Researchers also found that the frequency of PHI data breaches is creating a pernicious cycle in the realm of public health. For fear of their information being exposed through a data breach, about 12 percent of patients are not sharing everything with their physicians. This in turn leads to slower detection of communicable disease outbreaks and their subsequent treatment.

Another easily solvable problem, the report concludes, is that the breaches that go undetected the longest are more than three times as likely to be caused by internal employees.

"[It's often] caused by an insider abusing their [local area network] access privileges, and twice as likely for them to be targeting a server, particularly a database," Widup said. "The fact that it takes so long to detect these insider breaches really speaks to the need of controls to be put in place so that they can catch these much quicker before they can go on for years."

Colin Wood former staff writer

Colin wrote for Government Technology from 2010 through most of 2016.