HIPAA For MSPs by David Sims Ponemon 6th Annual healthcare breaches study
00:00:00 00:00:00

Annual Ponemon Healthcare Breaches Report

Since 2010, ID Experts has sponsored this Ponemon Institute study which has been tracking data breach trends of patient data at healthcare organizations. The annual economic impact of a healthcare breaches has risen over the past six years, as has the frequency of those healthcare breaches. Criminal attacks and internal threats are the leading cause of healthcare breaches. Evolving cyber attack threats such as ransomware and malware are of primary concern for 2016. At the same time, internal issues such as employee negligence, third-party snafus, and stolen computing devices continue to put patient data at risk.

Recent big healthcare breaches have increased the healthcare industry’s awareness of the growing threats to patient data, resulting in more focus on their security practices and implementing the appropriate policies and procedures, however the research indicates that it is not enough to curtail or minimize data breaches. According to the findings, half of these organizations still don’t have the people or the budget to detect or manage data breaches.

Cost of healthcare breaches

  • Based on the results of this study, they estimate that data breaches could be costing the healthcare industry $6.2 billion.
    • Avg cost per breach for CE – $2.2million, BA – $1 million
  • The majority of these healthcare breaches in the study were small, containing fewer than 500 records.

Response, Cause and Detection

  • 50% have little or no confidence that they can detect all patient data loss or theft.
  • For the second year in a row, criminal attacks are the leading cause of healthcare breaches.
    • 50% of CEs say the nature of the breach was a criminal attack
      • 13% say it was due to a malicious insider.
    • In the case of BAs, 41% say a criminal attacker
      • 9% say it was malicious insider.
  • Before last year it was always loss of a mobile device.
  • CE are more likely than BAs to engage a third-party. To help with incident response, 40% of CEs hire a third-party, and they are mainly outside legal counsel (65% of respondents) followed by a forensic/IT security provider (48%). 33% of BAs say their organizations hire a third-party. But it is the same type of 3rd party.


  • BYOD, public cloud, mobile apps are growing concerns
  • The vast majority of all respondents agree that healthcare organizations are more vulnerable to data breach than other industries.
  • More than half of CEs say they are not vigilant in ensuring partners and third parties protect patient information.
  • The majority of both CEs and BAs have not invested in the technologies necessary to mitigate a data breach, nor have they hired enough skilled IT security practitioners.
  • 59% of CEs and 60% of BAs don’t think or are unsure that their organization’s security budget is sufficient to curtail or minimize data breaches.
  • 56% of CEs do not believe their incident response process has adequate funding and resources.
  • 38% of CEs and 26% of BAs are aware of medical identity theft cases affecting patients and customers
  • Despite concerns about the vulnerability of these organizations to a data breach, budgets do not budge. CEs report budgets have decreased (10 percent) or stayed the same (52 percent). BAs must deal with budgets that decrease (11 percent) or stay the same (50 percent).
    • Although there’s been a slight increased investment over last year in total technology, privacy and security budgets, and personnel with technical expertise, the majority of CEs still don’t have sufficient security budget to curtail or minimize data breach incidents.
      • Only 51% say they have the technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.
      • “This is virtually unchanged since 2015.”

healthcare breaches - confidence level

healthcare breaches - CE discoveredhealthcare breaches discovered - BA

healthcare breaches - changed in securityhealthcare breaches - why is healthcare a target









Get your own copy of the healthcare data breach study

Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute