Data breaches of small businesses, including doctor offices, on the rise

A report says cyber criminals are seeking what they consider easy targets.

By — Posted April 5, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Small organizations, including physician practices, represented the largest number of data breaches in 2011, according to Verizon’s annual Data Breach Investigations Report.

The report examined 855 breaches across the globe that accounted for 174 million compromised records in 2011. The analysis found that cyber criminals are responsible for a large number of breaches globally, and small organizations are considered easy targets.

One of the reasons breaches at small health care organizations are on the rise is that automated attacks searching for remote Internet access services combined with weak passwords “were successful against smaller health care businesses, such as physicians’ offices and clinics,” said Marc Spitler, senior risk analyst of RISK Intelligence for Verizon.

The report said 97% of the crimes could have been avoided through simple or intermediate security controls.

For the report, Verizon partnered with the U.S. Secret Service; the Dutch National High Tech Crime Unit; the Australian Federal Police; the Irish Reporting & Information Security Service and the Police Central eCrime Unit; and the London Metropolitan Police. Small organizations represented the largest number of victim organizations, with 612 of the 855 incidents occurring at an organization with one to 100 employees.

When broken down by industry, health care and social assistance organizations represented 7% of the breaches. “Smaller organizations are the ideal target ... and money-driven, risk-averse cyber criminals understand this very well,” the report said.

The report found that 65% of the breaches had a low level of difficulty for the initial compromise of data.

“We’ve come to the realization that many of the organizations covered in this report are probably not getting the message about their security,” the report’s authors wrote. “We’re talking about the smaller organizations that have one [or a handful of point-of-service] systems.”

The report was not specific to health care, nor did it include all types of breaches. For example, incidents involving lost devices or insecure record disposal were unlikely to have been investigated by the agencies that contributed data to the report, Spitler said. Most of the incidents in the report were organizations that were targeted not because of the health data but rather because of the debit/credit card transactions that occurred at a health care organization.

Larry Clinton, president and CEO of Internet Security Alliance, said cyber criminals are just one threat to health care data. Lost devices and inside jobs also are responsible for a growing number of data breaches.

The Internet Security Alliance, a multisector trade association for organizations concerned about information security, published a report in March with the American National Standards Institute and the Shared Assessments Program that underscored the threat to small practices. It found that health data breaches have grown rapidly with the adoption of electronic health record systems.

Between 2005 and 2008, 39.5 million patient records were breached in the United States, according to the research. In the past two years, 18 million Americans have been impacted by a breach. Medical information is considered not only easier to access, given the lack of data security at many organizations, but also valuable.

Clinton said a thief could make $50 for a medical identification number compared with $1 for a Social Security number.

The Verizon report recommends that small organizations change default credentials on point-of-service systems and other Internet-facing devices.

The first step is realizing how valuable the data are on the black market, Clinton said, and then recognizing that this is not just an IT problem. An organizationwide risk management approach is needed. His firm offers free publications that help small organizations set up cyber-security programs.

“Attackers are businessmen themselves,” Clinton said. “They look for the greatest return on investment, and that would be to attack medical professionals that have little to no security defenses, often which is the smaller businesses.”

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn