1 Information Security & Data Breach Report November 2013 Update
2 2 Information Security and Data Breach Report Headlines like State Attorneys General Are Crucial Force in Enforcement of Data Breach Statutes and Lawmakers Push for Federal Data Breach Notification Law demonstrate increasing local and national concern with information security. 1 With more regulatory bodies taking notice of data privacy events, it has become clear that companies need the proper risk management protocols in place to handle this increasingly complex environment. We are pleased to present our latest report, which is designed to provide you insights into notable breaches and identify trends with the objective of answering the following principal questions: 1. What is the total number of breaches per quarter? 2. What types of entities are experiencing breaches? 3. What is the average number of days between discovery and disclosure of a data breach? 4. What types of data are being compromised? 5. What is the average number of records per breach? 6. What are the leading causes of data breaches? 7. What is the average total cost of a data breach? METHODOLOGY USED FOR IDENTIFYING DATA BREACHES Navigant captured all major data breaches disclosed publicly during the second quarter of 2013 (April 1, 2013 June 30, 2013) for comparison against data from the prior four quarters ( Four Quarter Average ). 2 As part of the methodology, Navigant evaluated multiple sources to compile a list of breaches that took place in the United States involving a minimum of 1,000 exposed or potentially exposed records. 3 The incidents identified in this report involve breaches in which physical or electronic records were hacked, lost, stolen, or improperly exposed or discarded. DATA BREACH SCORECARD Healthcare entities accounted for the largest percentage of the data breaches in both reporting periods (Q2: 52% vs. : 45%). The average number of days between discovery and disclosure of Corporate breaches decreased to 51 days from the prior of 61 days. Hospitals experienced breaches more often than other healthcare entities across reporting periods (Q2: 34% vs. : 37%). The average number of records exposed per data breach was 56% below the four quarter average (Q2: 19,694 vs. : 44,445). There was a 47% decrease in the number of records breached between reporting periods (Q2: 1.24 million records vs. : 2.32 million records). 1. WHAT IS THE TOTAL NUMBER OF BREACHES PER QUARTER? we identified 77 breaches in Q The Q2 breaches exposed 1,240,698 records, which is 1.08 million records fewer than the prior of 2,322,263. Half of the top ten breaches in Q2 involved Government entities followed by two Healthcare breaches, two Corporate breaches and one breach in the Education sector. The top five breaches in Q2 represented over 724,000 thousand records, 58% of the total. During the prior four quarters, seven out of the top ten breaches were either Corporate or Education entities. One of the largest breaches identified in Q2 occurred at a regional medical center in California. In late 2012, the hospital contracted with a local vendor to digitize and then destroy X-Rays from patient files. The medical center learned from law enforcement in March 2013 that its files were missing. The hospital, working with local law enforcement, immediately began an internal investigation to determine what happened. The missing radiology records pertain to dates of service prior to February 2011 and may include patient names, dates of birth (DOBs), addresses, medical record numbers, physician names, diagnoses, radiology procedures, radiology interpretations, health insurance numbers and, in some instances, Social Security numbers (SSNs). In response to this incident, the company contacted all affected users and offered free credit monitoring. The medical center also set up a toll free number for those affected and implemented additional security measures to protect patients from future breaches. 2. WHAT TYPES OF ENTITIES ARE EXPERIENCING BREACHES? Our report classifies the organizations affected by data breaches into five categories: Healthcare, Corporate, Education, Government and Other. 4 These designations provide an overview of the entities that experienced a physical or electronic records breach. Across Q2 and the, Healthcare entities experienced the largest percentage of breaches identified. In Q2, Healthcare entities accounted for 52% of all breaches identified, followed by Corporate (19%), Government (16%), Education (10%), and Other (3%) (See Figure 1). For the, Healthcare entities experienced 45% of the data breaches identified, followed by Corporate (17%), Education (17%), Government (16%), and Other (5%) (See Figure 2). As part of Navigant s analysis, we further segmented Healthcare entities to get a better sense of the types of organizations affected by data breaches. The types of Healthcare entities which experienced data breaches in Q2 and the prior four quarters are shown on the following page. Hospitals are the largest single category of Healthcare data breaches; 34% in Q2 and an average of 37% in the prior four quarters. The percentage of data breaches occurring at Physician Offices declined significantly, from 25% in the to 15% in Q2. Conversely, the number of Mental Health Treatment Facility breaches increased to 15% in Q2 from only 3% in the. We identified 63 major data breaches in Q2 compared to the average of 52 from the previous four quarters, a 21% increase. This is second largest number of breaches identified in the history of this report; in our inaugural edition,
3 3 FIGURE 1: BREACHES BY TYPE OF ENTITY Other 3% Corporate 19% Education 10% A notable Healthcare data breach involving the loss of sensitive medical and personal data took place at a counseling and treatment center with several locations across southern Arizona. One of the center employees was the victim of a burglary resulting in the loss of a company laptop and external hard drive. The thief broke into the employee s home sometime in mid-march The employee, upon discovering the laptop and external hard drive were missing, filed a police report. The external hard drive contained the names, DOBs and treatment plans of over 3,000 patients who visited the centers between 2011 and Those affected by the data breach were notified by letter and offered free credit monitoring. According to news reports, it is not clear what additional remediation steps the company took following this breach. Healthcare 52% FIGURE 2: PRIOR FOUR QUARTERS BREACHES BY TYPE OF ENTITY Other 5% Corporate 17% Government 16% Education 17% 3. WHAT IS THE AVERAGE NUMBER OF DAYS BETWEEN DISCOVERY AND DISCLOSURE OF A DATA BREACH? Data security regulations and the increasing danger of identity theft have elevated the importance of a timely response and disclosure after the discovery of a data breach. Forty-six states and several U.S. territories including Guam, the Virgin Islands and Puerto Rico have enacted data breach reporting requirements. Some states allow for a company to conduct a reasonable investigation of the incident before notification while other states have established specific timelines for notification. States such as North Dakota, South Carolina and Vermont have recently passed legislation strengthening their data breach notification rules. In North Dakota, the state legislature expanded the definition of personal information under House Bill No to include health insurance information and medical information. Vermont now requires financial institutions regulated by the state to provide notice of a breach to the Department of Financial Regulation. Vermont, under House Bill No. 513, must notify consumers no later than 45 days after the discovery of a data breach and the Attorney General within 14 business days. States without specific data breach notification laws include Alabama, Kentucky, New Mexico and South Dakota. Healthcare Entity Type Healthcare 45% Four Quarter Average () Hospitals (34%) Hospitals (37%) Physician Offices (15%) Physician Offices (25%) Mental Health Treatment Facility (15%) Mental Health Treatment Facility (3%) Clinics (15%) Clinics (9%) Health System (9%) Health System (10%) Home Health Services (6%) Home Health Services (7%) Surgical Center (3%) Surgical Center (1%) Dental Practice (3%) Dental Practice (6%) Rehabilitation Facility (0%) Rehabilitation Facility (2%) Government 16% Q2 Trend From The average number of days between discovery and disclosure for all breaches decreased to 54 days in Q2 from 55 days in the. We also track the average number of days between discovery and disclosure by type of entity (See Figure 3). The two entity types that experienced significant change in this metric were Corporate and Other. The significant decrease in time between discovery and disclosure for Corporate entities can be attributed to several breaches that were disclosed less than 20 days after discovery of the incidents. One of these breaches involved the largest provider of discounted phone service to low-income families. A newspaper investigation found more than 170,000 customer records from 26 different states available online. The records were identified through a Google search and included SSNs, DOBs and information about participation in other governmentassistance programs. The records were being stored online by a third party vendor who helps the company determine eligibility for the program. Of the 170,000 records; 44,000 were application or certification forms while 127,000 were supporting documents such as photos of driver s licenses, tax records,
4 4 Information Security and Data Breach Report FIGURE 3: AVERAGE NUMBER OF DAYS BETWEEN DISCOVERY AND DISCLOSURE BY TYPE OF ENTITY Corporate Education Government Healthcare Other pay stubs including bank account information or passports. The company, upon learning of the breach, removed the information from the Internet and began an internal investigation. Several hundred applicants who were at heightened risk of identity theft and those in Texas, Minnesota, Nevada and Illinois were contacted about the breach. The company established a hotline for those affected by the incident and has offered free credit monitoring to those most at risk. Currently, both federal and state authorities require that entities holding personal health information must disclose that a data breach has occurred. The Department of Health & Human Services (HHS) issued data breach regulations in August At the same time, similar breach notification regulations were issued by the Federal Trade Commission (FTC). As part of directives under the Health Information Technology for Economic and Clinical Health (HITECH) Act, finalized in January 2013, both the HHS and the FTC require HIPAA-covered entities to provide notification following a breach of protected health information no later than 60 days after the incident. 5 Our analysis shows the average number of days between discovery and disclosure of breaches of medical records was 70 days for the prior four quarters compared to 64 days in Q2, representing a 9% decrease. 4. WHAT TYPES OF DATA ARE BEING COMPROMISED? The types of data being compromised include personally identifiable information (PII), such as names, DOBs, name or SSNs; protected health information (PHI), such as information related to medical conditions, the provision of healthcare, or payment for the provision of healthcare; and financial information, such as bank account or credit card numbers. We identified several categories of data commonly at risk in data breaches including: Names, Contact information, SSNs, DOBs, Medical records, Credit Cards, addresses, Financial information and Miscellaneous information (See Figure 4). Many of the incidents identified in this report have multiple types of data associated with each breach. In Q2, the percentage of breaches involving some of the most sensitive data was below the Four Quarter Average, including SSNs (Q2: 52% vs. : 56%) and DOBs (Q2: 40% vs. : 42%), Healthcare entities accounted for over 68% of the total breaches involving DOBs in Q2. A breach that involved almost 6,000 patient records containing PHI and other data took place at a pediatric primary care clinic in Florida. In April 2013, the clinic, part of a university health system, was notified by federal authorities and the Secret Service that an employee potentially accessed patient medical records as part of an identity theft ring. The employee may have used the records to steal personal information including names, addresses, DOBs and SSNs. The university began an internal investigation and immediately terminated the employee. The employee s job description permitted access to patient records. The university clinic, out of caution, set up a toll free hotline to answer questions and offered identity theft monitoring services for one year. It is not clear from news reports what steps, if any, the clinic took to enhance its protocols and security measures concerning patient record access. FIGURE 4: BREACHES BY TYPE OF INFORMATION Name Contact SSN DOB Medical 50 Credit Card Financial Misc
5 5 Breaches of medical information, on the other hand, were above the (Q2: 49% vs. : 48%). 5. WHAT IS THE AVERAGE NUMBER OF RECORDS PER BREACH? Navigant has calculated the average number of records per breach by type of entity (See Figure 5). This analysis revealed that the average number of records per breach was 56% lower in than the previous four quarters (: 44,445 vs. Q2: 19,694). The largest change between reporting periods was an 81% decrease for Other entities (: 25,454 vs. Q2: 4,863). The average number of records per breach for Corporate entities in Q2 decreased 69% from the prior four quarters (: 75,340 vs. Q2: 23,517). Government entities experienced a 58% decline from 89,392 records in the prior four quarters to 37,271 records in Q2. The average number of records per breach for Education entities was 53,948 during the prior four quarters versus 28,350 in Q2, a decrease of 47%. Healthcare entities averaged 15,518 records during the prior four quarters compared to 12,302 records in Q2, a 21% decrease. FIGURE 5: AVERAGE RECORDS PER BREACH BY TYPE OF ENTITY FIGURE 6: BREACHES BY TYPE OF METHOD Unauthorized access/use 18% Theft 25% Virus 6% Hack 18% Public Access or Distribution 22% Loss 11% FIGURE 7: BREACHES BY TYPE OF METHOD Unauthorized Access/Use 13% Virus 4% Hack 19% Improper Disposal 3% 75,340 89,392 Loss 11% 53,948 23,517 28,350 37,271 12,302 15,518 4,863 25,454 Theft 35% Public Access or Distribution 15% Corporate Education Government Healthcare Other 6. WHAT ARE THE LEADING CAUSES OF DATA BREACHES? The different causes of a data breach are summarized into seven major categories: Virus, Hacking, Loss, Theft, Public Access/ Distribution, Unauthorized Access/Use, and Improper Disposal. 6 The relative volume of data breach methods used in Q2 are shown in Figure 6. The had a similar break-out (See Figure 7). In Q2, Public Access or Distribution, Unauthorized Access/Use and Virus were trending up compared to the ; however Theft was trending downward and Hacking and Loss were essentially unchanged. Looking at the data by method of breach and type of entity, we identified some interesting statistics. Across both reporting periods, 67% of Thefts took place at Healthcare entities. In the prior four quarters, 40% of breaches at Education entities involved Public Access or Distribution and only 16% in Q2. Government entities were most often hit with breaches involving Hacking or Public Access or Distribution across both reporting periods. In the prior four quarters, 22% of Coporate entity breaches involved Unauthorized Access/Use, but in Q2 this method accounted for only 17%.
6 6 Information Security and Data Breach Report A western state s administrative court system was breached by hackers exposing up to 160,000 SSNs and possibly one million driver s license numbers. The hack happened sometime in September 2012 but was not detected until early The court system launched an internal investigation and discovered that hackers gained access to data through a commercial software program used by the state. The state immediately patched the software and disclosed the breach in Q2. Those affected by the breach were from two specific groups. The first group includes individuals who were booked into jail between September 2011 and December 2012 and had their name and SSN accessed. The second group includes individuals who received a DUI citation in the state between 1989 and 2011, had a traffic case resolved between 2011 and 2012, or had a criminal case filed against them that was resolved in 2011 and The state, following its investigation, took several steps to increase security of its records including isolating sensitive data to more protected areas and implementing additional code to detect hackers and new encryption rules. The state also set up a website and toll free hotline to answer questions about the incident. Navigant also tracked the format of breached records in three categories: physical, electronic and a combination of both. Electronic records are defined as those that may be accessed via CD-ROM, laptop, thumb drive, other media devices, , website or server. In Q2, 79% of the records compromised were electronic, 16% were physical records and 5% were unknown. Across the, 83% of compromised records were electronic while 13% were physical records. 1% were classified as a combination of both electronic and physical records, while 3% were in an unknown format. 7. WHAT IS THE AVERAGE TOTAL COST OF A DATA BREACH? Cost may be the first concern of an organization in the wake of a data breach. One of the foremost studies on this issue is published by the A community college in Iowa suffered a data breach affecting more than 125,000 current and former students on March 13, Hackers were able to gain access to student application records from February 2005 to March 2013 by accessing the course-application portal. The application information included applicant names, DOBs, race, contact information and SSNs. According to news reports, once the college identified the breach, it notified the FBI and contracted a data security firm. Following the investigation, the college began to contact those affected in early April with a letter explaining the breach and offering identity theft monitoring free of charge. Using the Ponemon Institute study estimates, the total cost of this data breach might be as high as $24 million. Following the breach, the college took down the course-application portal for almost four weeks to improve its security. Ponemon Institute provides statistics regarding the total costs of a data breach. Costs may include detection, discovery, notification, potential legal costs, ex-post costs, loss of customers, and/or brand damage, but will vary with each specific breach. For purposes of this report, Navigant used the Ponemon cost per record to estimate the average total cost of a data breach by type of entity and method of breach. 7 The average total cost of a data breach in Q2 was $3,702,400, a 56% decrease from the of $8,355,700. Some notable results from the analysis of average total cost of a data breach by entity were (See Figure 8): In Q2, Government ($7,006,967), Education ($5,329,863) and Corporate ($4,421,212) entities were above the average total cost of $3,702,400. Healthcare and Other entities were below the average by 38% and 75% respectively. At, $16,805,713, Government entities costs were more than double the total cost. Corporate ($14,163,993) and Education ($10,142,160) entities were also above the average total cost, while Healthcare and Others entities were below the average. FIGURE 8: AVERAGE TOTAL COST BY TYPE OF ENTITY $16,805,713 $14,163,993 $10,142,160 $7,006,967 $4,421,212 $5,329,863 $2,312,713 $2,917,398 $914,150 $4,785,284 Corporate Education Healthcare Other
7 7 FIGURE 9: AVERAGE TOTAL COST BY TYPE OF BREACH $20,302,236 $11,802,550 $7,558,443 $6,901,514 $6,769,799 $6,688,241 $4,834,554 $3,355,800 $3,984,370 $2,966,146 $1,714,454 $1,094,809 $213,756 $697,010 Hack Improper Disposal Loss Public Access or Distribution Theft Unauthorized Access/Use Unknown Virus The average total cost of a data breach varied widely by type of entity between quarters. Average cost for Other entities was $914,150 in Q2 from $4,785,284 in the prior four quarters, an 81% decrease, the largest between reporting periods. Corporate entities decreased 69%, from the of $14,163,993 to $4,421,212 in Q2. Government entities decreased 58% from $16,805,713 during the period to $7,006,967 in Q2. Education entities decreased their average total cost by 47% between reporting periods (: $10,142,160 vs. Q2: $5,329,863). The average total cost for Healthcare entities decreased 21% (: $2,917,398 vs. Q2: $2,312,713). Navigant also calculated the average total cost by method of breach (See Figure 9). Hacking (: $20,302,236 vs. Q2: $6,901,514), showed the most significant decrease in costs from the to Q2. Virus saw the largest percentage decrease between reporting periods, a 90% reduction (: $6,688,241 vs. Q2: $697,010). The other categories with significant reductions in average cost included Theft, Loss and Unauthorized Access/Use. In Q2, Hacking ($6,901,514) was the most expensive type of breach, followed by Loss ($6,769,799) and Public Access or Distribution ($4,834,554). For the, Hacking ($20,302,236) was again the most expensive type of breach, followed by Loss ($11,802,550) and Public Access or Distribution ($7,558,443).
8 8 Information Security and Data Breach Report SPOTLIGHT ON NOTABLE BREACHES Company/Organization: Drupal.org Industry: Internet Record Type: Electronic Method: Hacking Size of Breach: 1 Million User Accounts Type of Data Breached: Addresses, User Names, Passwords Drupal.org, a popular open-source content website, was hacked in May The Portland, Oregon based collective said a routine security audit found that hackers had installed malicious software on its website allowing others to look through account information. Drupal, following the hack, shut down both drupal. org and groups.drupal.org before beginning a forensic security review. The company notified users of the intrusion on its website and required those logging into the site to change their passwords to gain access. According to news reports, the hack involved 1 million users and the files breached contained user names, addresses, countries where users live and hashed passwords. Following the incident, the company took several steps to improve security including scanning for malicious or dangerous files and creating a static archive of older files. 1 State Attorneys General Are Crucial Force in Enforcement of Data Breach Statutes, Bloomberg BNA (October 7, 2013) and Lawmakers Push for Federal Data Breach Notification Law, PC World (July 18, 2013) 2 includes Q Q For purposes of this study Living Social, Drupal Association, Facebook and Scribd were considered outliers in the last quarter and thus not reported as part of the quarterly data. The Drupal breach is discussed under the Notable Data Breaches section of this report. Quarterly data reported in prior studies may change when information regarding breaches is identified or amended. 4 Insurance companies are classified as Corporate entities for the purposes of this study, although protected health information may be included in breach incidents involving insurance companies A Virus is an intrusive malware that infects computers, servers and networks. A virus often carries out unwanted operations on a host computer. A virus could be used for hacking or it could be unintentionally loaded into a system and cause damage. Hacking occurs when a group or individual attempts to gain unauthorized access to computers or computer networks and tamper with operating systems, application programs, and databases. Unauthorized Access/Use is designated when an employee, contractor or volunteer of an organization wrongfully accesses or uses records. Improper Disposal occurs when either physical records or electronic media are not properly disposed and could be accessed by other parties. A Theft involves physical records or electronic media that have been stolen or taken from an organization without permission by an employee or other party. Loss is designated when either physical records or electronic media have been lost and cannot be located by the organization. Public Access or Distribution occurs when records or data are made available publicly or to inappropriate parties. This includes data made accessible via a server, website or network and sent to inappropriate recipients via paper or electronic methods Cost of Data Breach Study United States, Ponemon Institute LLC, May The total average cost per compromised record was $188. For purposes of this study, we estimated the total cost of each data breach using this figure calculated by the Ponemon Institute.
9 9 ABOUT NAVIGANT Navigant (NYSE: NCI) is a specialized independent consulting firm providing dispute, financial, investigative, regulatory and operations advisory services to government agencies, legal counsel and large companies facing the challenges of uncertainty, risk, distress and significant change. The Company focuses on industries undergoing substantial regulatory or structural change and on the issues driving these transformations. CONTACT» For questions related to the data presented herein: Lead Data Breach Forensic Investigators Steven Visser Greg Osinoff, Esq Daren Hutchison Strategic Initiative Contacts Scott Paczosa Jonathan Drage Darin Bielby Research Lead Bill Schoeffler navigant.com The authors would like to thank Vanessa Nelson Meihaus and Angela Krulc for their invaluable assistance. Both specialize in practice specific and general business development research in Navigant s Research Services Group. Brad Pinne Bill Hardin Cuyler Robinson Navigant Consulting, Inc. All rights reserved Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See for a complete listing of private investigator licenses.