Get All Access for $5/mo

The Worst Data Breaches in the U.S., Ranked State by State New data reveals insider errors as the primary cause of data breaches that affected 15.2 million Americans last year.

By Luke Walling Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Shutterstock

15.2m Americans had confidential personal and financial information compromised last year.

A vast database maintained by the US Government's Department of Health and Human Services records every major data breach by a health clinic, doctor, dentist or hospital since 2009. Each entry chronicles how 500 or more confidential records were compromised in a single breach.

You will find stories of stolen laptops, leaked paper records, hackers stealing data and employees accessing and disclosing information that should have been beyond their reach - often by accident.

But those confidential records contain personal and financial information with a Dark Web market value that far exceeds stolen passwords and usernames.

So, researchers at data loss prevention specialists Safetica USA have explored the database to reveal the key findings across the United States last year.

The highest number of cases

There are two basic ways of looking at which states were worst affected by data breaches last year: by the number of cases, and by the number of individual records compromised. When it comes to the highest number of cases, the list of the worst-hit states closely follows population.

Rank

State

Number of major healthcare breaches in 2016 (at least 500 records compromised)

1

California

39

2

Florida

28

3

Texas

23

4

New York

15

5

Illinois, Indiana, Washington

12

6

Ohio, Pennsylvania

11

7

Michigan

10

8

Arizona, Arkansas

9

9

Georgia, Minnesota

8

10

Colorado, Missouri

7

Source: Safetica USA research, US Department of Health and Human Services data

Overall, the number of major breaches across the US increased last year to its highest level on record: 318 cases in 2016 compared to 270 in 2015.

California, New York, Texas, Florida and Illinois were also the five worst affected states in 2015.

The highest number of records lost

A slightly different top 10 emerges if you look at the number of records compromised. A single hacking incident suffered by Banner Health revealed last summer affected 3.7m people and pushed Arizona to the top of the list.

Rank

State

Number of healthcare records compromised in 2016

1

Arizona

4,524,278

2

New York

3,588,554

3

Florida

2,872,912

4

California

1,436,701

5

Georgia

782,956

6

Maryland

659,919

7

Washington

528,837

8

Ohio

513,917

9

Texas

265,018

10

Indiana

257,174

Source: Safetica USA research, US Department of Health and Human Services data

The safest states?

However, six US states avoided major healthcare data breaches last year, according to the database. That's not to say they were immune from data loss - just that healthcare organizations in these states did not experience a breach of 500 records or more.

  1. Idaho

  2. Maine

  3. North Dakota

  4. South Dakota

  5. Vermont

  6. West Virginia

A further seven states only suffered one case each in 2016: Alaska, Delaware, Hawaii, New Hampshire, Nevada, Utah and Wyoming.

Causes

Headlines make you think that hacking is the biggest problem. But the dataset paints a different picture: the biggest threat to data comes from inside an organization.

Cause of healthcare data breaches 2016

Unauthorized access/disclosure

41.5%

Hacking

31.8%

Theft

19%

Loss

5.4%

Improper disposal

2.3%

Unauthorized access and disclosure by insiders was also the biggest cause of data loss in 2015 - followed by theft of paper records or electronic devices like laptops, smartphones or external memory drives.

Cause of healthcare data breaches 2015

Unauthorized access/disclosure

38%

Theft

30%

Hacking

21.4%

Loss

8.3%

Improper disposal

2.3%

Three lessons of 2016

Safetica's forecast suggests that 2017 is likely to be a record year for cases - unless there are significant changes in the healthcare sector.

But ask healthcare practitioners why they entered their profession the chances are they won't say "to manage IT". Their mission and vocation is providing the best possible medical care and patient outcomes.

There's technology in the marketplace right now that can mitigate the primary risk of healthcare breaches: insider errors and misjudgments.

However, the best technology doesn't't place a heavy burden on staff to learn new processes, adopt new workflows and tailor their activity to a system. It's intuitive.

There are three steps towards a solution to the insider threat of data breaches: audit, implement and advocate:

  1. Audit data security. Data tends to flow around an organization and into places you never intended it to go. That means files being saved onto laptops, attached to emails, even uploaded to the cloud rather than being stored securely. The first step is to work with an auditing partner who can assess where data lives in a business, how it's being used, by whom and on what device. The audit is the first step to understanding weak points in internal processes and working practices that needed to be strengthened.
  2. Implement a Data Loss Prevention (DLP) solution. There's no better way to mitigate the risk of data leaks than limiting access to confidential files – and preventing those files from being saved or sent places they shouldn't't go. That means having a technical barrier in place that prevents documents from being saved to external drives, screenshots being cut-and-pasted into emails, or data being uploaded to cloud storage or file sharing services. That's precisely what DLP does.
  3. Advocate security with contractors and partners. Every organization is part of a network of suppliers and partners. The Department of Health & Human Services is expecting business "associates" of healthcare providers to demonstrate data-safe working practices. You should expect that too.

So, whether it's an IT contractor, marketing agency, maintenance or facilities service, healthcare providers should demand the highest standards of data security from their partners. The end of one year and the start of the next is the perfect time to check.

So, what will happen in 2017?

This time next year, what story will the dataset tell?

More cases? Our forecast suggests the number of cases will top 325 across the United States next year.

Will the insider threat continuing to grow?

It's within the power of healthcare organizations to write their own end to that tale.

Luke Walling

General Manager of Safetica North America

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Leadership

7 Telltale Signs of a Weak Leader

Whether a bully or a people pleaser who can't tell hard truths, poor leadership takes many forms.

Data & Recovery

Say Hello to the Secure Cloud Storage Alternative Entrepreneurs Need

Secure, scalable, and cost-effective: Internxt is the smarter choice for cloud storage.

Business Solutions

Still Paying for Adobe Acrobat? Try This Instead.

Everything you need in a PDF editor—minus the subscription.

Franchise

How Franchising Can Alleviate Entrepreneurial Imposter Syndrome

The franchise model can alleviate entrepreneurial imposter syndrome and provide an alternative path towards professional independence.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.