The Worst Data Breaches in the U.S., Ranked State by State New data reveals insider errors as the primary cause of data breaches that affected 15.2 million Americans last year.
By Luke Walling •
Opinions expressed by Entrepreneur contributors are their own.
15.2m Americans had confidential personal and financial information compromised last year.
A vast database maintained by the US Government's Department of Health and Human Services records every major data breach by a health clinic, doctor, dentist or hospital since 2009. Each entry chronicles how 500 or more confidential records were compromised in a single breach.
You will find stories of stolen laptops, leaked paper records, hackers stealing data and employees accessing and disclosing information that should have been beyond their reach - often by accident.
But those confidential records contain personal and financial information with a Dark Web market value that far exceeds stolen passwords and usernames.
So, researchers at data loss prevention specialists Safetica USA have explored the database to reveal the key findings across the United States last year.
The highest number of cases
There are two basic ways of looking at which states were worst affected by data breaches last year: by the number of cases, and by the number of individual records compromised. When it comes to the highest number of cases, the list of the worst-hit states closely follows population.
Rank | State | Number of major healthcare breaches in 2016 (at least 500 records compromised) |
1 | California | 39 |
2 | Florida | 28 |
3 | Texas | 23 |
4 | New York | 15 |
5 | Illinois, Indiana, Washington | 12 |
6 | Ohio, Pennsylvania | 11 |
7 | Michigan | 10 |
8 | Arizona, Arkansas | 9 |
9 | Georgia, Minnesota | 8 |
10 | Colorado, Missouri | 7 |
Source: Safetica USA research, US Department of Health and Human Services data
Overall, the number of major breaches across the US increased last year to its highest level on record: 318 cases in 2016 compared to 270 in 2015.
California, New York, Texas, Florida and Illinois were also the five worst affected states in 2015.
The highest number of records lost
A slightly different top 10 emerges if you look at the number of records compromised. A single hacking incident suffered by Banner Health revealed last summer affected 3.7m people and pushed Arizona to the top of the list.
Rank | State | Number of healthcare records compromised in 2016 |
1 | Arizona | 4,524,278 |
2 | New York | 3,588,554 |
3 | Florida | 2,872,912 |
4 | California | 1,436,701 |
5 | Georgia | 782,956 |
6 | Maryland | 659,919 |
7 | Washington | 528,837 |
8 | Ohio | 513,917 |
9 | Texas | 265,018 |
10 | Indiana | 257,174 |
Source: Safetica USA research, US Department of Health and Human Services data
The safest states?
However, six US states avoided major healthcare data breaches last year, according to the database. That's not to say they were immune from data loss - just that healthcare organizations in these states did not experience a breach of 500 records or more.
Idaho
Maine
North Dakota
South Dakota
Vermont
West Virginia
A further seven states only suffered one case each in 2016: Alaska, Delaware, Hawaii, New Hampshire, Nevada, Utah and Wyoming.
Causes
Headlines make you think that hacking is the biggest problem. But the dataset paints a different picture: the biggest threat to data comes from inside an organization.
Cause of healthcare data breaches 2016 | |
Unauthorized access/disclosure | 41.5% |
Hacking | 31.8% |
Theft | 19% |
Loss | 5.4% |
Improper disposal | 2.3% |
Unauthorized access and disclosure by insiders was also the biggest cause of data loss in 2015 - followed by theft of paper records or electronic devices like laptops, smartphones or external memory drives.
Cause of healthcare data breaches 2015 | |
Unauthorized access/disclosure | 38% |
Theft | 30% |
Hacking | 21.4% |
Loss | 8.3% |
Improper disposal | 2.3% |
Three lessons of 2016
Safetica's forecast suggests that 2017 is likely to be a record year for cases - unless there are significant changes in the healthcare sector.
But ask healthcare practitioners why they entered their profession the chances are they won't say "to manage IT". Their mission and vocation is providing the best possible medical care and patient outcomes.
There's technology in the marketplace right now that can mitigate the primary risk of healthcare breaches: insider errors and misjudgments.
However, the best technology doesn't't place a heavy burden on staff to learn new processes, adopt new workflows and tailor their activity to a system. It's intuitive.
There are three steps towards a solution to the insider threat of data breaches: audit, implement and advocate:
- Audit data security. Data tends to flow around an organization and into places you never intended it to go. That means files being saved onto laptops, attached to emails, even uploaded to the cloud rather than being stored securely. The first step is to work with an auditing partner who can assess where data lives in a business, how it's being used, by whom and on what device. The audit is the first step to understanding weak points in internal processes and working practices that needed to be strengthened.
- Implement a Data Loss Prevention (DLP) solution. There's no better way to mitigate the risk of data leaks than limiting access to confidential files – and preventing those files from being saved or sent places they shouldn't't go. That means having a technical barrier in place that prevents documents from being saved to external drives, screenshots being cut-and-pasted into emails, or data being uploaded to cloud storage or file sharing services. That's precisely what DLP does.
- Advocate security with contractors and partners. Every organization is part of a network of suppliers and partners. The Department of Health & Human Services is expecting business "associates" of healthcare providers to demonstrate data-safe working practices. You should expect that too.
So, whether it's an IT contractor, marketing agency, maintenance or facilities service, healthcare providers should demand the highest standards of data security from their partners. The end of one year and the start of the next is the perfect time to check.
So, what will happen in 2017?
This time next year, what story will the dataset tell?
More cases? Our forecast suggests the number of cases will top 325 across the United States next year.
Will the insider threat continuing to grow?
It's within the power of healthcare organizations to write their own end to that tale.
