There were more than 900 data breaches of protected health information affecting at least 500 individuals between 2010 and 2013, a study from the April issue of the Journal of the American Medical Association says.
The research was conducted by doctors and other analysts at the Kaiser Permanente Division of Research in Oakland, California. Researchers examined an online database maintained by the US Department of Health and Human Services to access and analyze the information.
More than 29 million records were affected by the breaches, with six involving more than 1 million records each. The majority were caused by criminal activity and, in total, account from more than 82% of all reported breaches in the years that were studied.
Roughly 67% of breaches occurred via electronic media, most particularly involving laptop computers and portable electronic devices. Most breaches – at least 58% – also involved theft.
Data breaches were reported in every state, with California, Texas, Florida, New York and Illinois accounting for 34% of all major breaches.
The healthcare industry is a growing target of cyber attacks, with the frequency of breaches resulting from hacking increasing from 12% in 2010 to 27% in 2013. Given the new reliance on electronic health records and cloud-based services, the authors suggest this frequency has increased even further since the study was completed.
Despite the increasing cyber risk faced by these organisations, insurance agents and brokers working with healthcare companies may come up against some difficulties. According to cyber insurance broker Jack Elliott-Frey of Safeonline LLP, market capacity in the space is not yet where it should be.
“[The healthcare industry] is prone to damaging losses if personal health information and payment details are exposed,” Elliott-Frey told Insurance Business America. “There is a lack of capacity here as insurers are less inclined to underwrite organizations with large amounts of patient data.”
These sentiments echo those of AIG CEO Peter Hancock, who said in a presentation at New York University earlier this month that market capacity for cyber insurance is not large enough to adequately cover the risk. However, he suggested that the appetite of insurance carriers will grow as cyber security matures.
Elliott-Frey agrees – particularly as cyber attacks grow in number, driving up awareness and demand.
“Also, as the type of cyber attacks change, we will see more policy crossover, for example D&O policies including some clauses on cyber, and also standalone cyber policies including more aspects such as terrorism as the need arises.”
Read the full article here.