Data Breaches Continue to Plague Health Care Orgs

Data breaches are occurring at health-care organizations at a much higher rate than in any other industry, a trend that reflects both the vast amount of personal data housed at hospitals and medical centers and the comparatively lax security employed by these organizations, according to a report from the nonprofit Identity Theft Resource Center.

According to the report, 113 of the 385 U.S. companies and organizations that endured a significant data breach in the first half of the year were health-care providers. By comparison, only 39 breaches were reported at banking and other financial institutions.

The report analyzed data breach statistics compiled by the U.S. Department of Health and Human Services. To qualify as a significant breach, the compromised data had to include social security numbers, driver’s license numbers and financial account information.

“It may appear that there are a larger number of hospitals and medical centers appearing on the breach list than one would expect,” Jay Foley, executive director of the ITRC, told “This may be due to how HHS is now posting the reported breaches. For a period of time there were none posted, then all at once HHS was posting a number of them from last year.”

This has been an especially brutal year for data breaches at hospitals and university medical centers.

Last month, for instance, the University of Louisville Hospital acknowledged that a physician inadvertently exposed the personal information of more than 700 patients receiving kidney dialysis treatment after he set up a patient database on an unsecured Web page.

Earlier this year, more than 15,000 Kaiser Permanente patients in Northern California received the disturbing news that an unencrypted storage drive containing their most sensitive personal information was exposed after it was stolen from an employee’s car.

Security experts said breaches of this type — be it stolen laptops, USB drives or desktops — are particularly common in hospitals and physicians’ offices because these facilities have so many different types of workers (nurses, doctors, food service personnel, custodial staff, etc.) milling about in buildings that are usually much less secure than a bank or a DMV branch.

But that doesn’t mean these health-care providers are held to a lesser security standard.

Last month, the California Department of Health fined five California hospitals a total of $675,000 for repeatedly failing to adequately secure patient data.

Watchdog groups, such as ITRC, and private security software firms consistently advise patients to keep close tabs on their banking and credit information, avoid responding to any unsolicited emails purportedly from a hospital or health insurer and to definitely refrain from clicking on any attachments or links contained in emails or from unfamiliar websites.

“The best that consumers can do is remind the entity that they have shared their information with, that they expect them to keep it private and secure,” Foley said.

Larry Barrett is a senior editor at, the news service of, the network for technology professionals.

Larry Barrett
Larry Barrett is an eSecurity Planet contributor.

Top Products

Related articles