The Verizon researchers analyzed data spanning 25 countries and 20 years. The 1,900 breaches in the dataset accounted for nearly 400 million stolen health records—but the actual number of stolen records is likely much higher, because some organizations did not report the extent of their breaches.
Although the phrase “data breach” calls to mind large-scale hacking operations like the one that targeted the U.S. Office of Personnel Management earlier this year, the majority of the breaches in the report were actually the result of a lost or stolen item—for example, an employee’s laptop might get swiped, or even just left in the backseat of a taxi during a business trip. Whoever found or stole these computers got much more than just a piece of hardware to resell: Many contained unencrypted databases full of sensitive health information.
If the contents of these laptops were encrypted—a relatively simple change that would protect them from unauthorized access—a large portion of reported breaches could be avoided. Some companies say they’ve left their data unencrypted out of fear that encryption could slow access to files that need to be pulled up quickly. But it’s more likely, Widup says, that building in strong encryption is just not a priority for many organizations.
The upside of breaches that result from laptop theft is that they’re reported quickly, allowing cleanup crews to get a jumpstart on minimizing the damage. According to the Verizon dataset, of all the incidents discovered in 2014, nearly one-third were reported within days. But half had taken place months or even years earlier, leaving a massive window for multiple thefts from a database.
The researchers found that the majority of the breaches that go undiscovered for a long time are perpetrated by an insider: It’s much harder to detect someone snooping around if they’re just abusing their own network-access privileges. There are certain tools that monitor network activity and raise flags when something unusual happens—if an unauthorized person, for example, downloading gigabytes of sensitive health data all at once—but even when these tools are installed, they often go unmonitored, Widup says.
No matter how they leak, stolen health records don’t just affect the individuals whose data is compromised. These breaches can also ripple outwards to harm the entire health-care system—studies show that people who don’t feel confident that their information will be kept private are likely to share less with their doctors, which can hinder life-saving diagnoses and treatments.
But these patients’ lack of confidence is not unfounded. It’s hard to know the full extent of the health data that is breached every year—companies are generally reluctant to announce embarrassing breaches, and uneven reporting requirements mean they’re often not compelled to do so. Studies like the Verizon report highlight just a small fraction of a widespread problem; meanwhile, many organizations are unlikely to care about the health information they possess with until it’s already gone.
* This article has been updated to clarify that the theft of personal data from Excellus is possible, but still unconfirmed.