2017 US data breaches have reached a record high, jumping an incredible 29% year over year. The mid-year data breach report from the Identity Theft Resource Center (ITRC) and CyberScout shows there were 791 reported data breaches between January 1 to June 30, 2017.
If 2017 US data breaches continue at the current pace, and there are no indications to suggest they will not, this year is set to be another record breaker. Last year smashed previous records with 1,093 data breaches reported for the year. This year looks on track to see the total reach – or exceed – 1,500 breaches. That would represent a 37% increase year over year.
The biggest cause of 2017 US data breaches is hacking according to the report. Hacking includes phishing attacks, malware infections and ransomware attacks, the latter seeing a massive increase in the past 12 months. In the first six months of 2017, 63% of incidents were attributed to hacking – a 5% increase year over year. 47.7% of those breaches involving phishing to some degree. ITRC says 18.5% of 2017 US data breaches involved malware or ransomware.
Employee error and negligence, which includes improper disposal of sensitive data, continue to cause many breaches, with those causes accounting for 9% of the total. Accidental exposure of sensitive data on the Internet was the cause of 7% of data breaches. The number of breaches in both categories decreased year over year.
Most 2017 US Data Breaches Were Reported by the Business Sector
In the first half of the year, the business sector reported the most data breaches – 54.7% – with the healthcare and medical industry in second place with 22.5% of breaches. The education sector was third with 11% of breaches followed by the banking and financial services sector with 5.8% of the total. The government and military sector rounds off the top five with 5.6% of reported breaches.
There was an increase in data breaches reported by the hospitality and fast food sector in the first half of the year, most of which involved the theft of credit card details after malware was installed on POS systems. One of the biggest breaches affected Sabre Corporation and its SynXis hotel booking service. Hard Rock Hotels, Trump Hotels, Loews hotels and Four Seasons were all among the victims. In the case of Trump hotels, it was the third payment card data breach experienced in the past 2 years.
Biggest Healthcare Data Breaches of 2017 (So far)
The healthcare industry has also seen a rise in data breaches in 2017 of 14% according to the figures published by the Department of Health and Human Services’ Office for Civil Rights. The main cause of healthcare data breaches – 37% – was hacking and IT incidents, which includes ransomware and malware attacks. Unauthorized access/disclosure came a close second with 35% of the total. Loss and theft of devices containing ePHI was in third place with 24% of the total followed by improper disposal on 4%.
The biggest healthcare data breaches of 2017 so far are:
Organization | Entity Type | Records Exposed | Breach Type |
Commonwealth Health Corporation | Healthcare Provider | 697,800 | Theft |
Airway Oxygen, Inc. | Healthcare Provider | 500,000 | Hacking/IT Incident |
Urology Austin, PLLC | Healthcare Provider | 279,663 | Hacking/IT Incident |
Harrisburg Gastroenterology Ltd | Healthcare Provider | 93,323 | Hacking/IT Incident |
VisionQuest Eyecare | Healthcare Provider | 85,995 | Hacking/IT Incident |
Washington University School of Medicine | Healthcare Provider | 80,270 | Hacking/IT Incident |
Emory Healthcare | Healthcare Provider | 79,930 | Hacking/IT Incident |
Stephenville Medical & Surgical Clinic | Healthcare Provider | 75,000 | Unauthorized Access/Disclosure |
Primary Care Specialists, Inc. | Healthcare Provider | 65,000 | Hacking/IT Incident |
The healthcare industry must report data breaches under HITECH/HIPAA regulations, including the number of individuals impacted. However, ITRC/CyberScout report that many organizations are holding back details of the number of individuals impacted due to the large HIPAA violation fines. Without that information, it is difficult to obtain an accurate picture of the severity of data breaches.
Eva Velasquez, ITRC President and CEO, said, “The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts.”