Majority of criminal health care data breaches target point-of-sale, not EHR

Verizon is back with another of their amazing Data Breach Investigation Reports. Each year, Verizon studies the scope of data breaches in a variety of industries and summarizes the results in one of their Data Breach Investigation Reports. In earlier years, the company worked just with the U.S. Secret Service, but this year, they've branched out and gathered information by working with the Australian Federal Police, the Dutch National High Tech Crime Unit, the Irish Reporting & Information Security Service, the Police Central e-Crime Unit, and United States Secret Service.

More to the point of ZDNet Health, Verizon has broken out a variety of industry verticals and subjected them to their own scope of analysis. Healthcare was one such industry vertical, and they published their DBIR Industry Snapshot: Healthcare (PDF).

While the document is well worth a read in its overall form, what I found most interesting were the somewhat unexpected conclusions about breaches that came from the report.

The chart below, from the Verizon report, showcases that the bulk of breaches had to do with point-of-sale devices. Breaches of database servers, backup tapes, and documents were relatively rare by comparison. While electronic health records are subject to some breach, the vast majority of records breaches in health care organizations are pretty much just breaking into the cash register.

While these results may be hard to believe initially, remember that doctors offices and small clinics (which were the majority of those organizations breached) tend to take in real money in the form of credit cards, cash, and checks for both self-pay customers and for the co-pay portion of the visit cost. So, while insurance companies are reimbursing some of the expense, the amount that the insurance carriers leave on the table has become quite attractive to organized criminals.