Data Breach Report
November 2013 Update
Headlines like “State Attorneys General Are Crucial Force in Enforcement of Data Breach Statutes” and “Lawmakers Push for Federal Data Breach Notification Law” demonstrate increasing local and national concern with in-formation security.1 With more regulatory bodies taking notice of data privacy
events, it has become clear that companies need the proper risk management protocols in place to handle this increasingly complex environment.
We are pleased to present our latest report, which is designed to provide you insights into notable breaches and identify trends with the objective of answering the following principal questions:
1. What is the total number of breaches per quarter? 2. What types of entities are experiencing breaches?
3. What is the average number of days between discovery and disclosure of a data breach?
4. What types of data are being compromised? 5. What is the average number of records per breach? 6. What are the leading causes of data breaches? 7. What is the average total cost of a data breach?
METHODOLOGY USED FOR
IDENTIFYING DATA BREACHES
Navigant captured all major data breaches disclosed publicly during the second quarter of 2013 (April 1, 2013 – June 30, 2013) for comparison against data from the prior four quarters (FQA – “Four Quarter Average”).2
As part of the methodology, Navigant evaluated multiple sources to compile a list of breaches that took place in the United States involving a minimum of 1,000 exposed or potentially exposed records.3 The incidents identified in this
report involve breaches in which physical or electronic records were hacked, lost, stolen, or improperly exposed or discarded.
1. WHAT IS THE TOTAL NUMBER
OF BREACHES PER QUARTER?
We identified 63 major data breaches in Q2 compared to the average of 52 from the previous four quarters, a 21% increase. This is second largest num-ber of breaches identified in the history of this report; in our inaugural edition,
we identified 77 breaches in Q3 2010. The Q2 breaches exposed 1,240,698 records, which is 1.08 million records fewer than the prior FQA of 2,322,263. Half of the top ten breaches in Q2 involved Government entities followed by two Healthcare breaches, two Corporate breaches and one breach in the Education sector. The top five breaches in Q2 represented over 724,000 thousand records, 58% of the total. During the prior four quarters, seven out of the top ten breaches were either Corporate or Education entities.
2. WHAT TYPES OF ENTITIES ARE
EXPERIENCING BREACHES?
Our report classifies the organizations affected by data breaches into five categories: Healthcare, Corporate, Education, Government and Other.4
These designations provide an overview of the entities that experienced a physical or electronic records breach. Across Q2 and the FQA, Healthcare entities experienced the largest percentage of breaches identified. » In Q2, Healthcare entities accounted for 52% of all breaches identified,
followed by Corporate (19%), Government (16%), Education (10%), and Other (3%) (See Figure 1).
» For the FQA, Healthcare entities experienced 45% of the data breaches identified, followed by Corporate (17%), Education (17%), Government (16%), and Other (5%) (See Figure 2).
As part of Navigant’s analysis, we further segmented Healthcare entities to get a better sense of the types of organizations affected by data breaches. The types of Healthcare entities which experienced data breaches in Q2 and the prior four quarters are shown on the following page.
Hospitals are the largest single category of Healthcare data breaches; 34% in Q2 and an average of 37% in the prior four quarters. The percentage of data breaches occurring at Physician Offices declined significantly, from 25% in the FQA to 15% in Q2. Conversely, the number of Mental Health Treat-ment Facility breaches increased to 15% in Q2 from only 3% in the FQA.
DATA BREACH SCORECARD
» Healthcare entities accounted for the largest percentage of the data
breaches in both reporting periods (Q2: 52% vs. FQA: 45%).
» The average number of days between discovery and disclosure of
Corpo-rate breaches decreased to 51 days from the prior FQA of 61 days.
» Hospitals experienced breaches more often than other healthcare entities
across reporting periods (Q2: 34% vs. FQA: 37%).
» The average number of records exposed per data breach was 56% below
the four quarter average (Q2: 19,694 vs. FQA: 44,445).
» There was a 47% decrease in the number of records breached between
reporting periods (Q2: 1.24 million records vs. FQA: 2.32 million records).
One of the largest breaches identified in Q2 occurred at a regional medical center in California. In late 2012, the hospital contracted with a local vendor to digitize and then destroy X-Rays from patient files. The medical center learned from law enforcement in March 2013 that its files were missing. The hospital, working with local law enforcement, immediately began an internal investigation to determine what happened. The missing radiology records pertain to dates of service prior to February 2011 and may include patient names, dates of birth (DOBs), addresses, medical record numbers, physician names, diagnoses, radiology procedures, radiology interpretations, health insurance numbers and, in some instances, Social Security numbers (SSNs). In response to this incident, the company contacted all affected users and offered free credit monitoring. The medical center also set up a toll free number for those affected and implemented additional security measures to protect patients from future breaches.
3. WHAT IS THE AVERAGE NUMBER OF DAYS
BETWEEN DISCOVERY AND DISCLOSURE OF A
DATA BREACH?
Data security regulations and the increasing danger of identity theft have elevated the importance of a timely response and disclosure after the discov-ery of a data breach. Forty-six states and several U.S. territories including Guam, the Virgin Islands and Puerto Rico have enacted data breach report-ing requirements. Some states allow for a company to conduct a reason-able investigation of the incident before notification while other states have established specific timelines for notification. States such as North Dakota, South Carolina and Vermont have recently passed legislation strengthening their data breach notification rules. In North Dakota, the state legislature expanded the definition of personal information under House Bill No. 1435 to include health insurance information and medical information. Vermont now requires financial institutions regulated by the state to provide notice of a breach to the Department of Financial Regulation. Vermont, under House Bill No. 513, must notify consumers no later than 45 days after the discovery of a data breach and the Attorney General within 14 business days. States without specific data breach notification laws include Alabama, Kentucky, New Mexico and South Dakota.
The average number of days between discovery and disclosure for all breaches decreased to 54 days in Q2 from 55 days in the FQA. We also track the average number of days between discovery and disclosure by type of entity (See Figure 3). The two entity types that experienced significant change in this metric were Corporate and Other. The significant decrease in time between discovery and disclosure for Corporate entities can be attrib-uted to several breaches that were disclosed less than 20 days after discov-ery of the incidents. One of these breaches involved the largest provider of discounted phone service to low-income families. A newspaper investigation found more than 170,000 customer records from 26 different states available online. The records were identified through a Google search and included SSNs, DOBs and information about participation in other government-assistance programs. The records were being stored online by a third party vendor who helps the company determine eligibility for the program. Of the 170,000 records; 44,000 were application or certification forms while 127,000 were supporting documents such as photos of driver’s licenses, tax records,
FIGURE 1: Q2 2013 BREACHES BY TYPE OF ENTITY
A notable Healthcare data breach involving the loss of sensitive medical andpersonal data took place at a counseling and treatment center with several locations across southern Arizona. One of the center employees was the victim of a burglary resulting in the loss of a company laptop and external hard drive. The thief broke into the employee’s home sometime in mid-March 2013. The employee, upon discovering the laptop and external hard drive were missing, filed a police report. The external hard drive contained the names, DOBs and treatment plans of over 3,000 patients who visited the centers between 2011 and 2013. Those affected by the data breach were notified by letter and offered free credit monitoring. According to news reports, it is not clear what additional remediation steps the company took following this breach.
FIGURE 2: PRIOR FOUR QUARTERS
BREACHES BY TYPE OF ENTITY
Healthcare Entity
Type Q2 2013 Four Quarter Average (FQA) Q2 Trend From FQA
Hospitals (34%) Hospitals (37%)
Physician Offices (15%) Physician Offices (25%)
Mental Health Treatment Facility (15%) Mental Health Treatment Facility (3%)
Clinics (15%) Clinics (9%)
Health System (9%) Health System (10%) Home Health Services (6%) Home Health Services (7%) Surgical Center (3%) Surgical Center (1%) Dental Practice (3%) Dental Practice (6%) Rehabilitation Facility (0%) Rehabilitation Facility (2%)
Healthcare 52% Education 10% Government 16% Other 3% Corporate 19% Healthcare 45% Education 17% Government 16% Other 5% Corporate 17%
analysis shows the average number of days between discovery and disclo-sure of breaches of medical records was 70 days for the prior four quarters compared to 64 days in Q2, representing a 9% decrease.
4. WHAT TYPES OF DATA
ARE BEING COMPROMISED?
The types of data being compromised include personally identifiable tion (PII), such as names, DOBs, name or SSNs; protected health informa-tion (PHI), such as informainforma-tion related to medical condiinforma-tions, the provision of healthcare, or payment for the provision of healthcare; and financial informa-tion, such as bank account or credit card numbers. We identified several cat-egories of data commonly at risk in data breaches including: Names, Contact information, SSNs, DOBs, Medical records, Credit Cards, Email addresses, Financial information and Miscellaneous information (See Figure 4). Many of the incidents identified in this report have multiple types of data associated with each breach. In Q2, the percentage of breaches involving some of the most sensitive data was below the Four Quarter Average, including SSNs (Q2: 52% vs. FQA: 56%) and DOBs (Q2: 40% vs. FQA: 42%), Healthcare entities accounted for over 68% of the total breaches involving DOBs in Q2. pay stubs including bank account information or passports. The company,
upon learning of the breach, removed the information from the Internet and began an internal investigation. Several hundred applicants who were at heightened risk of identity theft and those in Texas, Minnesota, Nevada and Illinois were contacted about the breach. The company established a hotline for those affected by the incident and has offered free credit monitoring to those most at risk.
Currently, both federal and state authorities require that entities holding personal health information must disclose that a data breach has occurred. The Department of Health & Human Services (HHS) issued data breach regulations in August 2009. At the same time, similar breach notification regulations were issued by the Federal Trade Commission (FTC). As part of directives under the Health Information Technology for Economic and Clinical Health (HITECH) Act, finalized in January 2013, both the HHS and the FTC require HIPAA-covered entities to provide notification following a breach of protected health information no later than 60 days after the incident.5 Our
A breach that involved almost 6,000 patient records containing PHI and other data took place at a pediatric primary care clinic in Florida. In April 2013, the clinic, part of a university health system, was notified by federal authorities and the Secret Service that an employee potentially accessed patient medical re-cords as part of an identity theft ring. The employee may have used the rere-cords to steal personal information including names, addresses, DOBs and SSNs. The university began an internal investigation and immediately terminated the em-ployee. The employee’s job description permitted access to patient records. The university clinic, out of caution, set up a toll free hotline to answer questions and offered identity theft monitoring services for one year. It is not clear from news reports what steps, if any, the clinic took to enhance its protocols and security measures concerning patient record access.
FIGURE 4: BREACHES BY TYPE OF INFORMATION
FIGURE 3: AVERAGE NUMBER OF DAYS BETWEEN
DISCOVERY AND DISCLOSURE BY TYPE OF ENTITY
Corporate Education Government Healthcare Other Q2 2013 FQA 51 37 30 63 52 61 29 36 72 29
Q2 2013
FQA
50 Name Credit Card Contact Financial SSN Email DOB Misc. Medical 32 33 25 31 7 5 8 18 39 25 29 22 25 3 6 4 176. WHAT ARE THE LEADING
CAUSES OF DATA BREACHES?
The different causes of a data breach are summarized into seven major categories: Virus, Hacking, Loss, Theft, Public Access/ Distribution, Unau-thorized Access/Use, and Improper Disposal.6 The relative volume of data
breach methods used in Q2 are shown in Figure 6.
The FQA had a similar break-out (See Figure 7). In Q2, Public Access or Distribution, Unauthorized Access/Use and Virus were trending up compared to the FQA; however Theft was trending downward and Hacking and Loss were essentially unchanged.
Breaches of medical information, on the other hand, were above the FQA (Q2: 49% vs. FQA: 48%).
5. WHAT IS THE AVERAGE NUMBER
OF RECORDS PER BREACH?
Navigant has calculated the average number of records per breach by type of entity (See Figure 5). This analysis revealed that the average number of records per breach was 56% lower in Q2 2013 than the previous four quarters (FQA: 44,445 vs. Q2: 19,694).
» The largest change between reporting periods was an 81% decrease for Other entities (FQA: 25,454 vs. Q2: 4,863).
» The average number of records per breach for Corporate entities in Q2 decreased 69% from the prior four quarters (FQA: 75,340 vs. Q2: 23,517).
» Government entities experienced a 58% decline from 89,392 records in the prior four quarters to 37,271 records in Q2.
» The average number of records per breach for Education entities was 53,948 during the prior four quarters versus 28,350 in Q2, a decrease of 47%.
» Healthcare entities averaged 15,518 records during the prior four quar-ters compared to 12,302 records in Q2, a 21% decrease.
FIGURE 6: Q2 2013 BREACHES BY TYPE OF METHOD
FIGURE 5: AVERAGE RECORDS PER BREACH
BY TYPE OF ENTITY
Theft 25% Loss 11% Public Access or Distribution 22% Unauthorized access/use 18% Hack 18% Virus 6%FIGURE 7: FQA BREACHES BY TYPE OF METHOD
Looking at the data by method of breach and type of entity, we identified some interesting statistics.
» Across both reporting periods, 67% of Thefts took place at Healthcare entities.
» In the prior four quarters, 40% of breaches at Education entities involved Public Access or Distribution and only 16% in Q2.
» Government entities were most often hit with breaches involving Hacking or Public Access or Distribution across both reporting periods.
» In the prior four quarters, 22% of Coporate entity breaches involved Unauthorized Access/Use, but in Q2 this method accounted for only 17%.
Public Access or Distribution 15% Improper Disposal 3% Loss 11% Theft 35% Hack 19% Unauthorized Access/Use 13% Virus 4% Q2 2013 FQA 23,517 28,350 37,271 12,302 Education
Corporate Government Healthcare Other 4,863 75,340 53,948 89,392 15,518 25,454
Navigant also tracked the format of breached records in three categories: physical, electronic and a combination of both. Electronic records are defined as those that may be accessed via CD-ROM, laptop, thumb drive, other media devices, e-mail, website or server. In Q2, 79% of the records compro-mised were electronic, 16% were physical records and 5% were unknown. Across the FQA, 83% of compromised records were electronic while 13% were physical records. 1% were classified as a combination of both elec-tronic and physical records, while 3% were in an unknown format.
7. WHAT IS THE AVERAGE
TOTAL COST OF A DATA BREACH?
Cost may be the first concern of an organization in the wake of a data breach. One of the foremost studies on this issue is published by the
Ponemon Institute provides statistics regarding the total costs of a data breach. Costs may include detection, discovery, notification, potential legal costs, ex-post costs, loss of customers, and/or brand damage, but will vary with each specific breach. For purposes of this report, Navigant used the Ponemon cost per record to estimate the average total cost of a data breach by type of entity and method of breach.7
The average total cost of a data breach in Q2 was $3,702,400, a 56% de-crease from the FQA of $8,355,700. Some notable results from the analysis of average total cost of a data breach by entity were (See Figure 8): » In Q2, Government ($7,006,967), Education ($5,329,863) and Corporate
($4,421,212) entities were above the average total cost of $3,702,400. Healthcare and Other entities were below the average by 38% and 75% respectively.
» At, $16,805,713, Government entities’ costs were more than double the FQA total cost. Corporate ($14,163,993) and Education ($10,142,160) entities were also above the average total cost, while Healthcare and Others entities were below the average.
FIGURE 8: AVERAGE TOTAL COST BY TYPE OF ENTITY
A western state’s administrative court system was breached by hackers expos-ing up to 160,000 SSNs and possibly one million driver’s license numbers. The hack happened sometime in September 2012 but was not detected until early 2013. The court system launched an internal investigation and discovered that hackers gained access to data through a commercial software program used by the state. The state immediately patched the software and disclosed the breach in Q2. Those affected by the breach were from two specific groups. The first group includes individuals who were booked into jail between September 2011 and December 2012 and had their name and SSN accessed. The second group includes individuals who received a DUI citation in the state between 1989 and 2011, had a traffic case resolved between 2011 and 2012, or had a criminal case filed against them that was resolved in 2011 and 2012. The state, following its investigation, took several steps to increase security of its records including iso-lating sensitive data to more protected areas and implementing additional code to detect hackers and new encryption rules. The state also set up a website and toll free hotline to answer questions about the incident.
A community college in Iowa suffered a data breach affecting more than 125,000 current and former students on March 13, 2013. Hackers were able to gain access to student application records from February 2005 to March 2013 by accessing the course-application portal. The application information included applicant names, DOBs, race, contact information and SSNs. According to news reports, once the college identified the breach, it notified the FBI and contracted a data security firm. Following the investigation, the college began to contact those affected in early April with a letter explaining the breach and offering iden-tity theft monitoring free of charge. Using the Ponemon Institute study estimates, the total cost of this data breach might be as high as $24 million. Following the breach, the college took down the course-application portal for almost four weeks to improve its security.
Q2 2013 FQA
Corporate Education Healthcare Other
$4,421,212 $5,329,863 $7,006,967 $2,312,713 $914,150 $14,163,993 $10,142,160 $16,805,713 $2,917,398 $4,785,284
The average total cost of a data breach varied widely by type of entity between quarters.
» Average cost for Other entities was $914,150 in Q2 from $4,785,284 in the prior four quarters, an 81% decrease, the largest between reporting periods.
» Corporate entities decreased 69%, from the FQA of $14,163,993 to $4,421,212 in Q2.
» Government entities decreased 58% from $16,805,713 during the FQA period to $7,006,967 in Q2.
» Education entities decreased their average total cost by 47% between reporting periods (FQA: $10,142,160 vs. Q2: $5,329,863).
» The average total cost for Healthcare entities decreased 21% (FQA: $2,917,398 vs. Q2: $2,312,713).
Navigant also calculated the average total cost by method of breach (See
Figure 9). Hacking (FQA: $20,302,236 vs. Q2: $6,901,514), showed the
most significant decrease in costs from the FQA to Q2. Virus saw the largest percentage decrease between reporting periods, a 90% reduction (FQA: $6,688,241 vs. Q2: $697,010). The other categories with significant reduc-tions in average cost included Theft, Loss and Unauthorized Access/Use. In Q2, Hacking ($6,901,514) was the most expensive type of breach, followed by Loss ($6,769,799) and Public Access or Distribution ($4,834,554). For the FQA, Hacking ($20,302,236) was again the most expensive type of breach, followed by Loss ($11,802,550) and Public Access or Distribution ($7,558,443).
FIGURE 9: AVERAGE TOTAL COST BY TYPE OF BREACH
$6,901,514 Q2 2013 FQA Unknown $3,355,800 $697,010 $4,834,554 $1,714,454
Hack Loss Public Access
or Distribution Theft
Improper Disposal Unauthorized
Access/Use Virus $1,094,809 $213,756 $6,769,799 $20,302,236 $11,802,550 $7,558,443 $3,984,370 $2,966,146 $6,688,241
1 “State Attorneys General Are Crucial Force in Enforcement of Data Breach Statutes,” Bloomberg
BNA (October 7, 2013) http://www.bna.com/state-attorneys-general-n17179877665/ and
“Lawmakers Push for Federal Data Breach Notification Law,” PC World (July 18, 2013) http:// www.pcworld.com/article/2044673/lawmakers-push-for-federal-data-beach-notification-law.html. 2 FQA includes Q2 2012 – Q1 2013.
3 For purposes of this study Living Social, Drupal Association, Facebook and Scribd were considered outliers in the last quarter and thus not reported as part of the quarterly data. The Drupal breach is discussed under the Notable Data Breaches section of this report. Quarterly data reported in prior studies may change when information regarding breaches is identified or amended.
4 Insurance companies are classified as Corporate entities for the purposes of this study, although protected health information may be included in breach incidents involving insurance companies.
5 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html 6 A Virus is an intrusive malware that infects computers, servers and networks. A virus often
carries out unwanted operations on a host computer. A virus could be used for hacking or it could be unintentionally loaded into a system and cause damage. Hacking occurs when a group or individual attempts to gain unauthorized access to computers or computer networks and tamper with operating systems, application programs, and databases. Unauthorized Access/Use is designated when an employee, contractor or volunteer of an organization wrongfully accesses or uses records. Improper Disposal occurs when either physical records or electronic media are not properly disposed and could be accessed by other parties. A Theft involves physical records or electronic media that have been stolen or taken from an organization without permission by an employee or other party. Loss is designated when either physical records or electronic media have been lost and cannot be located by the organization. Public Access or Distribution occurs when records or data are made available publicly or to inappropriate parties. This includes data made accessible via a server, website or network and sent to inappropriate recipients via paper or electronic methods.
7 2013 Cost of Data Breach Study – United States, Ponemon Institute LLC, May 2013. The total average cost per compromised record was $188. For purposes of this study, we estimated the total cost of each data breach using this figure calculated by the Ponemon Institute.
SPOTLIGHT ON NOTABLE BREACHES
Company/Organization: Drupal.org Industry: Internet
Record Type: Electronic Method: Hacking
Size of Breach: 1 Million User Accounts
Type of Data Breached: Email Addresses, User Names, Passwords
Drupal.org, a popular open-source content website, was hacked in May 2013. The Portland, Oregon based collective said a routine security audit found that hackers had installed malicious software on its website allowing others to look through account information. Drupal, following the hack, shut down both drupal. org and groups.drupal.org before beginning a forensic security review. The com-pany notified users of the intrusion on its website and required those logging into the site to change their passwords to gain access. According to news reports, the hack involved 1 million users and the files breached contained user names, e-mail addresses, countries where users live and hashed passwords. Following the incident, the company took several steps to improve security including scan-ning for malicious or dangerous files and creating a static archive of older files.
Strategic Initiative Contacts Scott Paczosa 312.583.2150 [email protected] Jonathan Drage 312.583.2157 [email protected] Darin Bielby 215.832.4485 [email protected] Research Lead Bill Schoeffler 202.973.3140 [email protected] navigant.com
The authors would like to thank Vanessa Nelson Meihaus and Angela Krulc for their invaluable assistance. Both specialize in practice specific and general business development research in Navigant’s Research Services Group.
ABOUT NAVIGANT
Navigant (NYSE: NCI) is a specialized independent consulting firm providing dispute, financial, investigative, regulatory and operations advisory services to government agencies, legal counsel and large companies facing the chal-lenges of uncertainty, risk, distress and significant change. The Company focuses on industries undergoing substantial regulatory or structural change and on the issues driving these transformations.
CONTACT »
For questions related to the data presented herein:
Lead Data Breach Forensic Investigators
Steven Visser 303.383.7305 [email protected] Greg Osinoff, Esq. 646.227.4406 [email protected] Daren Hutchison 303.383.7322 [email protected] Brad Pinne 312.583.5894 [email protected] Bill Hardin 312.583.4119 [email protected] Cuyler Robinson 312.583.2188 [email protected]
©2013 Navigant Consulting, Inc. All rights reserved. 00002298