Tag: Data Breach

Cybersecurity has become one of the most significant issues impacting international security and political and economic stability. Our new report, Data Breach Industry Forecast 2018, outlines 5 predictions for the data breach industry in the coming year. Here are 3: The U.S. may experience its first large-scale attack on critical infrastructure, causing disruption for governments, companies and private citizens. Failure to comply with the new EU regulations will result in large penalties for U.S. companies. Attackers will use artificial intelligence to render traditional multifactor authentication methods useless. Read all five predictions>

Data breach industry predictions High-profile data breaches dominated the headlines in 2017, and unfortunately, these attacks are anticipated to only increase in frequency and magnitude in 2018. Breaches like those that affected LinkedIn, Dropbox and Yahoo, serve as a wake-up call for organizations to implement processes for safeguarding sensitive data and defending against attacks. However, for every advancement in cybersecurity, cybercriminals become more sophisticated in their techniques. Just when it seems like we have learned our lesson from one breach, another, more significant one occurs. As cybercriminals continue changing the rules mid-game, it has become clear that while they’re playing chess, we’re still playing checkers. To help better prepare you and your organization for potential cyber threats, our team has put together its yearly data breach industry predictions on the issues and trends surrounding data security in 2018. Here are our five predictions for 2018: The U.S. may experience its first large-scale attack on critical infrastructure, disrupting governments, companies and private citizens. Failure to comply with new EU regulations will result in large penalties for U.S. companies. Perpetrators of cyber-attacks will continue to zero in on governments – this could lead to a shift in world power. Attackers will use artificial intelligence (AI) to render traditional multifactor authentication methods useless. Vulnerabilities in Internet of Things (IoT) devices will create mass confusion, leading to new security regulations. Download our complimentary report to learn more about how these trends will shape the coming year, see how we scored against our 2017 predictions, and check out our new section revisiting predictions dating back to our inaugural 2014 report.

“Are we next?” That’s the question companies around the world are grappling with as more high-profile data breaches make headlines. At a time when one in four organizations experience cyber-attacks, mishandling the response can do more damage than the breach itself. We take precautions against dangerous situations every day. With years of practice either in school or at work, most of us know what to do if there’s an emergency. We conduct drills repeatedly because when we immediately know how to respond to a threatening situation, we can minimize destruction. Because of the high probability of a cyber-attack, businesses need to treat breach responses like internal drills, repeatedly practicing until it becomes instinctive. Prepare your data breach response drill A well-prepared incident response strategy should first define all breach scenarios (e.g., ransomware, malware, phishing, etc.) and their specific steps. Assembling a qualified team is also critical, individual roles and responsibilities should be defined and clearly communicated. After finalizing the essential components of your incident response plan, regular testing is crucial to ensuring your organization is equipped to handle the unexpected. Practice makes perfect Below are six principles to help guide your data breach response drill effectively: Bring in an outsider. Enlist the expertise of someone outside your organization to run the drills and serve as a moderator. A third-party facilitator allows you and your team to focus on individual tasks and responsibilities. Put aside plenty of time. At a minimum, give your team half a day to do the exercise and to debrief. It’s an exercise for everyone. All internal and external team members who will be involved in a data breach response need to participate in this activity. Expect the unexpected. Your drills should include various likelihoods and situations. Another benefit to bringing in an outside moderator is that they can throw unpredictable scenarios at your team. Debrief. After the exercise, the entire team should review, discuss each mock situation in detail, and identify any areas in need of improvement. Repeat every six months. Keep your team aware of the latest developments in the world of cybersecurity and prepared to tackle cyber threats by conducting drills every six months. Executing these drills are invaluable and help prove to your stakeholders, customers and employees that your company takes data security seriously. The more you practice putting your plan into action, the better prepared you’ll be in a real-life situation. Visit our website for more information about our offerings and how Experian can help you prepare and respond to data breaches.

Businesses may be increasingly aware of identity theft threats to their customers, but an Experian survey shows that many consumers still seriously underestimate their risk of falling victim to identity thieves. In fact, the persistent and harmful myth that the majority of consumers are not vulnerable to identity theft is badly in need of debunking. Consumer misconceptions The online Experian survey of 1,000 Americans, age 18 and older, found many consumers have a false sense of security about identity theft, even those who regularly engage in behaviors that can dramatically elevate their risk of having their identities stolen. For example: Sixty-two percent of consumers said the security of their personal information online is a minor concern that doesn’t worry them much, and 17 percent never worry about it at all. The top reason for their lack of concern? Twenty-seven percent said it was because they didn’t share that much personal identifiable information (PII) online. Yet consumers store an average of 3.4 types of PII online, and have a large digital footprint that can make it easy for cybercrooks to track and steal their information. Half believe poor credit means identity thieves won’t be interested in stealing their PII. Twelve percent believe they’re safe because they take security precautions, and 9 percent think using only secure websites insulates them from identity theft risks. Risky behaviors When identity theft occurs, consumers are likely to blame any business they associate with the theft. A Gemalto survey found that consumers said protecting their data is 70 percent the responsibility of the companies they do business with, and just 30 percent their own responsibility, Infosecurity Magazine reports. What’s more, 29 percent said they don’t think businesses take their responsibilities seriously enough when it comes to protecting consumer data. Yet the survey found consumers are probably far more responsible for identity theft than they think because they continue to engage in behaviors that put them at greater risk. These include: Shopping online over a public Wi-Fi connection (43 percent) Allowing others to use online account names and passwords (33 percent) Letting others know their mobile device passwords (29 percent) Sharing payment card numbers and/or PINs (25 percent) Letting others use their PII to secure a job or credit (20 percent) Failing to enroll in credit monitoring or identity theft protection services (82 percent) Leaving it up to their banks and credit card companies to catch signs of fraud (81 percent) These dangerous habits can expose consumers’ PII to cybercriminals, even though half of those we surveyed didn’t think they were likely to become victims of identity theft. Impact of identity theft When consumers become identity theft victims, they experience a range of negative emotions and real consequences that affect them personally and financially. According to a survey by the Identity Theft Resource Center, identity theft victims reported feeling frustrated, fearful, angry and stressed. Many had trouble concentrating, lost sleep and felt physically ill because of the crime. They also reported the identity theft overshadowed their personal relationships, their personal and professional credibility, and even affected their ability to get jobs. Some even lost their jobs as a result. What companies can do Clearly, identity theft can be devastating and consumers need to do more to protect themselves. When it occurs, identity theft also undermines the consumer’s trust in companies and institutions, especially if the identity theft occurred in connection to or following a data breach. Helping consumers protect themselves from identity theft benefits everyone. Consumers can avoid the financial and emotional turmoil identity theft causes, and companies can help preserve their relationship with customers. As part of an effective data breach response plan, companies should include a consumer care element that provides breached consumers with: Free identity theft protection and credit monitoring services Dark web and internet records scanning Fraud resolution services Identity theft insurance Myth debunked Year after year, identity theft statistics demonstrate that most consumers are at risk of falling prey to identity thieves, no matter what they believe to the contrary. Unfortunately, consumers continue to take actions that can place their identities at risk. While you can’t force your customers to stop accessing their bank accounts over airport Wi-Fi or using the same password for all their financial accounts, you can take steps to reduce the risk they’ll experience identity theft because of something your organization did or didn’t do. Helping consumers protect themselves from identity theft makes good business sense, and it’s the right thing to do. Plus, consumers expect it; according to the Ponemon Institute’s “Mega Data Breach: Consumer Sentiment” survey, 63 percent of consumers believe a company that experiences a data breach should offer free identity protection to customers affected by the breach. Learn more about our Data Breach solutions

Cybersecurity cannot be successful if siloed. The entire organization must be part of the effort. Take these steps to ensure a more engaged relationship between cybersecurity teams, C-suite executives and other departments: Make the company’s chief information officer accountable directly to the chief executive officer and/or the board. Train employees at every level to spot security risks and to understand their role in protecting the entire organization from cyberattacks. Put cybersecurity on the agenda for every board and executive-level meeting, and incorporate it into quarterly state-of-the-company, all-hands meetings. With cybersecurity threats evolving and escalating daily, companies need to make engagement a priority that starts at the top and continues through every level of the organization. Increasing engagement in cybersecurity >

  There’s a consensus that too many C-suite executives are disengaged with their organization’s cybersecurity efforts. That indifference can seriously hamper an organization’s ability to quickly and effectively respond to an incident. To best protect the organization, cybersecurity professionals should take the following steps to increase engagement: Pinpoint the greatest cybersecurity issues your organization faces and create descriptive verbiage that simplifies these risks. Engage in one-on-one meetings with key leaders to help them understand how cybersecurity risks affect not only the overall organization, but their domain as well. Stage a cybersecurity simulation exercise for your C-suite executives in which members role-play a data breach scenario. Leadership is not the only department that should be invested in protecting the organization. Next week, we’ll look at how to engage the entire organization in cybersecurity efforts. If you’d like, you can jump ahead and read it now. Increasing engagement in cybersecurity

Leadership and Cybersecurity Multiple studies suggest many executives aren’t as engaged as they should be when ensuring their organizations are prepared to mitigate and manage cybersecurity risks. Insights from our Fourth Annual Data Breach Preparedness Survey, conducted by the Ponemon Institute, support this sentiment. Of the privacy, compliance and IT professionals polled: 57% said their company’s board, chairman and chief executive officer were not informed about or involved in data breach response planning. 60% have leadership who don’t want to know immediately when a material breach occurs. 66% have a board that doesn’t understand the specific cybersecurity threats their organization faces. 74% said their board isn’t willing to take ownership for successful incident response plan implementation. For organizations to protect themselves, cybersecurity professionals need to create greater engagement among the organization’s leadership. Next week, we’ll look at how they can accomplish this. If you’d like, you can jump ahead and read it now. Fourth Annual Data Breach Preparedness Survey

When a cybersecurity incident occurs, will your organization’s data breach response contribute to customer retention or undermine it? Multiple studies and surveys illustrate that how well a company supports consumers in the wake of a security event directly affects customers’ perceptions of and loyalty to the breached company. Consumers expect companies to help them manage the potential and real fallout of a data breach. Failing to do so can increase post-breach churn, whereas successfully helping consumers can equate to greater retention. In particular, offering monitoring services to customers affected by a cybersecurity incident could make the difference between retaining those customers and their good will, or losing them to the competition. Consumer impact Research by Experian Data Breach Resolution and our partners reveals how data breaches affect consumers: 76 percent of consumers who’ve experienced a data breach cite stress as the primary consequence. 39 percent cite the time they had to spend resolving problems caused by the breach as the worst consequence. Nearly half of those affected by a data breach feel it will put their identities at risk for years to come. Consumers want companies to step up after a breach and provide identity theft protection (63 percent), credit monitoring (58 percent) and even compensation in the form of cash, products or services (67 percent). Four out of every five consumers who received a data breach notification continued to do business with the company through which their information was compromised, but they didn’t necessarily stay because they were satisfied. Just 45 percent of consumers say they continued doing business with the company because they were happy with the way the company resolved the data breach. Instead, 67 percent said they stayed because going elsewhere was just too difficult, and 61 percent thought moving their business wouldn’t give them access to any greater security since data breaches are unavoidable. If you provide it… Even more compelling for the case in favor of offering post-breach monitoring services to affected consumers is this statistic from our research: Nearly three quarters (72 percent) of breached consumers take action after being notified of a breach, including updating their anti-virus software and reviewing online account activity or security policies. Twenty-nine percent accepted offers of free identity protection services. Consumers are increasingly aware that being caught up in a data breach can increase their risk of experiencing identity theft, either immediately following the event or in the future. They are willing to take steps to protect themselves, and they want breached companies to help them. Providing post-breach monitoring services can help protect consumers from the possibility of identity theft related to the breach, and help protect companies from the loss of business that can result when customers feel the organization hasn’t done enough to aid them. Learn more about our Data Breach services

Most companies aren’t prepared to respond to a global data breach, and aren’t yet ready to comply with the European Union’s General Data Protection Regulation (GDPR), even though it takes effect in less than a year, according to the latest Ponemon Institute report sponsored by Experian® Data Breach Resolution. Nearly a third of the 588 information security and compliance professionals interviewed for the survey said their organizations had no global incident response plan in place, and 38 percent have a single plan that’s applied around the world. Just 27 percent reported having separate plans at the country or regional level, but even those who had a plan weren’t confident about its efficacy. The global scope of data breaches The number of data breaches reached a record high in 2016 — 4,149 incidents in 102 countries around the world exposed more than 4.2 billion records, according to cybersecurity company Risk Based Security. Ponemon’s survey underscores the scope of global data breaches; 51 percent of respondents reported their companies experienced a global data breach in the past five years, and 56 percent of breached companies had more than one incident. When the GDPR goes into effect in May 2018, any company that processes and/or holds the personal data of European Union consumers will be required to comply with the regulation, regardless of where the company is located. Failure to comply can lead to fines ranging from 2 percent to 4 percent of a company’s annual global turnover. Despite the escalating risks of falling victim to a global data breach and the possible repercussions of not complying with the GDPR, Ponemon’s survey shows a widespread lack of preparedness among companies. Levels of unpreparedness When it comes to preventing and responding to a global data breach, and ensuring they comply with the GDPR’s strict notification rules, many survey respondents expressed significant shortfalls in preparedness: Outdated and inadequate security solutions would hinder the ability of 49 percent to cope with a global data breach. Just 40 percent of respondents felt confident their organizations’ security technologies would adequately protect information assets and IT infrastructures overseas, and only 39 percent said they had the right policies and procedures to do so. Slightly more than a third thought their companies could successfully manage cultural differences and privacy and data security expectations in different areas of the world. A majority of respondents (89 percent) predicted the GDPR will significantly affect their data protection practices, and 69 percent felt non-compliance would hinder their companies’ ability to do business globally. Yet only a quarter said their companies were ready to comply with the new regulation. While most understand GDPR is something they need to worry about, many aren’t sure what to do. The survey reveals some companies may be feeling desperate enough about the looming regulation to take drastic measures; 34 percent said their preparations include closing operations in countries with high non-compliance rates. Timely notification of regulators and EU citizens affected by a data breach is a key component of the GDPR, yet the majority of our survey respondents (69 percent) said they would have trouble meeting the time limitations. The GDPR requires breached companies to notify regulators within 72 hours of discovering a breach, and affected consumers “without undue delay.” Half of our survey respondents said they experienced a global breach that required notification of victims. Only 10 percent were able to do so within the GDPR’s 72-hour window; 38 percent reported notification took two to five months to complete. Obstacles to preparedness The years-long evolution of the GDPR, which will replace older regulations, is evidence that world governments are taking data breach risks seriously. Unfortunately, our study indicates not all C-suite decision-makers are as concerned about global data breach risks as they should be and their antipathy is impairing their organizations’ ability to prepare for a global data breach. While the security professionals surveyed cited high-volume breaches (65 percent) and breaches involving high-value information (50 percent) as the data risks that concern them the most, only 30 percent said their organization’s C-suite was fully aware of the company’s compliance status. Further, just 38 percent said their executives viewed global data regulations as a top priority. Technology limitations and lack of executive support are significant obstacles to preparedness and compliance, but they’re not the only ones. Additionally, survey respondents cited: Reluctance to make needed comprehensive changes in business practices (60 percent) Not enough budget to hire staff (37 percent) Unrealistic demands from regulators/regulations (35 percent) Not enough money for appropriate security technology (34 percent) Lack of knowledge about global data breach response (29 percent) What companies must do Some survey respondents indicated their organizations are taking the right steps toward preparedness and compliance. They are putting in place security technologies to quickly detect a data breach (48 percent), have tested and proven response plans (44 percent), can quickly identify whether a breach will require notification (15 percent) and are prepared to notify regulators within 72 hours of breach discovery (13 percent). However, many organizations could be doing more to prepare for a global data breach and to comply with the GDPR. Global data breach risks continue to increase in number, scope and impact, and the potential loss of business and financial impact of a breach could prove catastrophic for affected companies. With less than a year to go until the GDPR takes effect, any company that conducts business internationally needs to act now to ensure it will be ready to deal with a global data breach when it occurs. Learn more about our Data Breach solutions

Like an unimmunized person in a roomful of flu patients, the healthcare sector continues to be at high risk of catching something unpleasant. Cyberattacks and data breaches jeopardize the well-being of healthcare organizations of every size, and too often their exposure is a result of not doing everything they can to immunize themselves against attack. In our 2017 Data Breach Industry Forecast, we predicted the profitability and uneven defenses of the healthcare sector would cause cybercriminals to continue to focus attacks on healthcare organizations. Numbers from the Identity Theft Resource Center indicate our prediction was right; by mid-year, 151 healthcare breaches have compromised more than 1.9 million records, accounting for nearly 22 percent of all 2017 breaches thus far. We also predicted: Ransomware would emerge as a top threat for healthcare organizations. Cybercriminals would expand their range of targets within the sector, causing mega breaches to broaden their focus from insurers to other organizations, including hospital networks. Electronic health records and mobile applications would increasingly be targeted. The year so far In mid-May the WannaCry ransomware cyberattack became the largest ever, affecting computer systems in more than 150 countries. Ransomware uses malicious code to infect systems, seize control and shut down user access until the affected organization or individual pays a ransom to unlock their systems. Britain’s National Health Service (NHS) was one of the largest victims of WannaCry, which infected medical devices as well as administrative PCs. The impact was widespread, affecting critical operations and causing hospitals to reject patients, doctor’s offices to shut down and emergency rooms to divert patients. Like a patient with a compromised immune system who ignores his doctor’s advice to get an annual flu shot, the NHS allegedly disregarded multiple security warnings to update and protect its systems. Cybercriminals have also expanded their targets for mega breaches beyond insurers. So far in 2017, the largest known healthcare breach in terms of number of compromised records occurred at a urology practice in Austin, Texas. ITRC statistics show nearly 280,000 records were compromised through the breach of the practice, which has eight locations in the greater Austin area. According to the practice’s official data breach notice, a ransomware attack encrypted data stored on the organization’s servers. Electronic health records were the target of cyberattacks at numerous healthcare organizations, including a fertility and menopause clinic in New Jersey, where more than 17,000 records were compromised, ITRC reports. The number, scope and impact of healthcare cyberattacks will only grow. The industry that focuses on taking care of Americans’ physical and mental health should proactively take steps to safeguard its own health by updating security measures and data breach response plans. Learn more about our Data Breach solutions

Risk managers, legal experts and brokers say phishing and social engineering are, by far, the biggest security threats facing their companies and clients. In fact, 80 percent of legal experts polled by Advisen for Experian Data Breach Resolution’s 2017 Cyber Risk Preparedness and Response Survey, 68 percent of brokers and 61 percent of risk managers cited phishing/social engineering as their top concern. Why do they feel that way? A look at the numbers and some insight into human nature can explain their fears — and help you understand why your organization should be just as concerned about phishing risks. By the numbers Phishing and social engineering are particularly effective forms of cyberattack because they use technology and knowledge of human nature to manipulate employees into actions that serve the attacker’s purpose. How effective are they? Employees succumbing to a targeted phishing attack was one of the top two insider risks cited by executives who responded to the Ponemon report Managing Insider Risk through Training and Culture. Sixty-one percent of information security professionals polled by Wombat Security for its 2017 State of the Phish report said their organization had been the victim of a phishing attack. According to the Ponemon Fourth Annual Preparedness Study, 38 percent of respondents are not confident they can deal with a spear phishing incident The human risk factor Phishing in general and spear phishing in particular are successful because human beings are often the chink in an organization’s cybersecurity armor. All it takes is one overly curious and under-cautious employee clicking on a suspicious email, or a well-meaning worker who responds to a seemingly authentic request for proprietary information. Those scenarios are the stuff of nightmares for information security professionals, and unfortunately they happen all too frequently. Multiple studies show that negligent employees cause more data breaches than other sources, whether they succumb to a phishing attack or lose a company laptop at the airport. However, studies also show that cybersecurity training, including a component on phishing, can help reduce employee-related risks. Training is critical Among organizations that train employees on how to spot and avoid phishing attacks, 52 percent reported they were able to see quantifiable results — fewer successful attacks — based on their training, Wombat said. Respondents to the Advisen survey stressed the importance of creating a company culture in which cybersecurity is everyone’s job and knowledge of phishing and how to thwart attacks is the norm. Employee training in cybersecurity should begin as part of the onboarding process when the worker joins your organization, and everyone should get a refresher at least annually. While 67 percent of those surveyed by Ponemon said their organizations didn’t incentivize employees to proactively protect sensitive information or report potential issues, any successful culture of security should reward those who are embracing their roles as protectors — and not just punish those who fall short. Learn more about our Data Breach solutions

With the recent switch to EMV and more than 4.2 billion records exposed by data breaches last year*, attackers are migrating their fraud attempts to the card-not-present channel. Our recent analysis found the following states to be the riskiest for e-commerce fraud in 2016. Delaware Oregon Florida New York Nevada Attackers are extremely creative, motivated, and often connected. Prevent e-commerce fraud by protecting all of your customer contact points. Fraud Heat Map>  

Internet-connected devices provide endless possibilities, but they rely on technology and collected data to deliver on their promises. This can compromise your network security. Follow these tips to enjoy the conveniences provided by Internet of Things devices while keeping your network safe. Look for devices that use end-to-end encryption. Change default passwords before connecting devices to your network. Enable two-factor authentication, when available. Leverage all security options, such as passwords, encryption, firewalls and firmware. The Internet of Things is only as strong as its weakest link. That's why it’s so important to understand and treat each connected device as part of a broader network. More security tips

Happy holidays! It’s the holiday season and a festive time of year. Colorful lights, comfort food and holiday songs – all of these things contribute to the celebratory atmosphere which causes many people to let their guards down and many businesses to focus more on service than on risk. Unfortunately, fraudsters and other criminals can make one of the busiest shopping times of the year, a miserable one for their victims. The nature of the stolen data has the potential to create long-term headaches for the organization and tens of millions of individuals. Unlike a retailer or financial breach, where stolen payment cards can be deactivated and new ones issued, the theft of permanent identity information is, well, not easily corrected. You can’t simply reissue Social Security numbers, birth dates, names and addresses. For individuals, we need to internalize this fact: our data has likely been breached, and we need to become vigilant and defend ourselves. Sign-up for a credit monitoring service to be alerted if your data or ID is being used in ways that indicate fraud. Include your children, as well. A child’s identity is far more valuable to a fraudster as they know it can be several years before their stolen identity is detected. The good news is, in addition to the credit bureau, many banks and auto clubs now offer this as a service to their customers. For organizations, the focus should be on two fronts: data protection and fraud prevention. Not just to prevent financial theft, but to preserve trust — trust between organizations and consumers, as well as widespread consumer trust.  Organizations must strive to evolve data protection controls and fraud prevention skills to minimize the damage caused by stolen identity data. There are dozens of tools in the industry for identifying that a consumer is who they say they are – and these products are an important part of any anti-fraud strategy.  These options may tell you that the combination of elements is the consumer, but do you know that it is the REAL consumer presenting them? The smart solution is to use a broad data set for not only identity verification, but also to check linkage and velocity of use.  For example: Is the name linking to other addresses being presented in the past week? Is the phone number showing up to other addresses and names over the past 30 days? Has the SSN matched to other names over the past 90 days? Since yesterday the address matches to four phone numbers and two names – is this a problem? And it must be done in ways that reinforce the trust between consumers and organizations, enhance the customer experience, and frustrate criminals.  Click here to learn more about Experian’s products and services that can help. As we go walking in the winter wonderland, remember, the holiday season is a time for cheer… and vigilance!

Late last year, our Third Annual Data Breach Industry Forecast predicted cybercriminals would continue to focus their attacks on healthcare institutions, inspired by the knowledge that the black market value of medical records continues to surpass the value of credit card numbers. Industry experts we interviewed also predicted employee missteps would be a source of healthcare breaches. Entering the final quarter of 2016, our prediction is playing out in the numbers; nearly half of all consumers affected by a data breach so far this year had their personal information exposed through a healthcare-related incident, according to information compiled by the Identity Theft Resource Center. In the first three quarters of the year, 256 medical and healthcare data breaches exposed more than 13.5 million records, the highest number of any sector the ITRC tracks. Records compromised in a healthcare breach accounted for 47.2 percent of all affected records in 2016. The healthcare sector has been a hotbed of attacks throughout the year, largely due to the continued value of medical records sold on the dark web. These records can be used for far more than just filing fraudulent medical claims. One lucrative use is filing fraudulent tax returns. CNBC reported the IRS expects, and has been bracing for, an increase in tax fraud linked to the high number of medical breaches this year. It’s easy to understand why medical records can be so profitable for hackers. While financial accounts such as credit cards may contain a limited amount of personal information, medical records are much more comprehensive. Typically, they contain a wealth of information far beyond mere account numbers. In addition to names, addresses and birth dates, medical records often contain Social Security numbers, which healthcare providers may use as patient identifiers. The employee factor Many of the mega-breaches of 2015 occurred through digital routes that the average consumer would find downright arcane. In 2016, we’ve seen an increase in smaller attacks with mundane origins such as stolen hardware, poorly secured employee email accounts or phishing attacks. Consider these examples reported in the HIPAA Journal: Four staff email accounts were compromised in a phishing attack on employees at City of Hope Hospital in California. To put it more bluntly, four hospital employees fell for scam emails and the result was, as ITRC reports, the exposure of more than 1,000 patient records. More than 200,000 patients of Premier Healthcare in Bloomington, Indiana, received notification letters after a password-protected but unencrypted laptop was stolen from the hospital’s billing department. A St. Louis, Missouri, not-for-profit healthcare system, BJC Healthcare, had to notify more than 2,300 patients their information was exposed after an employee mistakenly sent an email containing protected information to another medical organization. For healthcare institutions, the takeaway from 2016 should be the need to remain vigilant and proactive regarding the many ways in which data breaches can occur. While 2015 was the year of healthcare mega-breaches, 2016 has seen the emergence of smaller breaches that still have the potential to cause significant harm to organizations and patients. Learn more about our Data Breach solutions