data breach report 2020The annual Verizon data breach report was recently released for 2020. Learning from other’s mistakes is always the best way to learn vs the alternatives. These reports always offer very specific details that we find very enlightening and helpful in making business decisions relating to security in all businesses.


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

2020 Data breach stats good news and not so good news – Ep 262


The HIPAA Boot Camp

2020 COVID Session Dates

August 18, 19, 20

Online Version!!

For info go to

Registration Form

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

Contact Tracing Apps

[9:40]My team asked in this week’s meeting for some guidance on the release of the contact tracing apps.  If they want to know something we usually get to talk about it on here assuming that others may be pondering the same things.

My answer was “I’m not a fan.” I did some research on the apps and once I read this article – COVID-19 Contact Tracing Apps Spotlight Privacy, Security Rights – I didn’t need to dig much further. There are too many gaps in the process when you consider the amount of data they will be accumulating.

Yet another HIPPPAAA in the wild with a confusing message

[14:25]COVID-19 Cases in the workplace & HIPPA rules

pasted image 0

pasted image 0 5

Oh and another misuse of HIPAA

[22:33]This one popped up out of all the “Karen” memes when a lady used HIPAA as a reason she should get into a store without a mask due to her medical condition that HIPAA did not require her to divulge.

I have a medical condition that says I am not allowed to wear a mask and I am not required under HIPAA rules and regulations to disclose that.

Wrong – just wrong. HIPAA does not control what a patient can choose to share with others. Don’t throw HIPAA around just say I will not tell you why or anything about my medical condition. Leave HIPAA out of it!

2020 Data breach stats good news and not so good news

[35:13]Another important alert from CISA about home routers. If you aren’t worrying about these things and have folks working at home, you are just cruisin’ for a bruisin’.

Verizon DBIR 2020

Great quote on the introduction of the 2020 Verizon DBIR. It points to something we have said for years, but in a much more succinct way.

Experience is merely the name men gave to their mistakes.

Oscar Wilde, The Picture of Dorian Gray

The team that does this report each year, this the 13th, are true data geeks. It is fascinating to read if you really like statistics and data analytics.  This year, they evaluated a total of 157,525 incidents, which is more than ever before. Of those incidents, 32,002 met their standards to be included in the data and of those, 3,950 were confirmed data breaches. That is a lot of data from across industries and continents to evaluate and compare.

They really stepped things up this year because they are aligning to the CIS 20 and narrowing down specific information on the activity within each of the 16 verticals.

Overall Data Breach Summaries

Info that looks at all industries and all countries let us have that benchmark to compare healthcare’s numbers. Keep in mind that some of these stats reflect that the same event can show up in multiple numbers. That messes with me sometimes because I want it to be exactly 100% when I add things up.

Good news is 89% of the breaches used 3 different tactics. Hacking 45% followed by “Errors were casual events” and Social attacks both at 22%. When you add in that 17% is malware you cover the vast majority of the attack methods. In theory that gives us 4 things to worry about but we know that isn’t even close to what we should be worried about.

Perpetrators are also primarily across three groups. 70% “External actors”, 55% “Organized crime” followed by 30% involve “Internal actors.” That last one isn’t so good at all. This one particularly shows how the numbers don’t add up to 100 because it can involve multiple actors.

Here are some other key points:

pasted image 0 3

pasted image 0 4

81% were contained in days or less once they were found

58% included personal data compromises

86% financially motivated

72% large businesses

28% small businesses

37% used stolen credentials

27% of all malware was Ransomware (keep in mind they don’t see ransomware as a data breach all of the time like we now need to do in healthcare)

22% of all breaches involved Phishing

Insiders vs Insiders

Some of their assessments of the information I kind of disagree with just because they look at it differently than we do.

Nevertheless, it is a widely held opinion that insiders are the biggest threat to an organization’s security, but one that we believe to be erroneous. Admittedly, there is a distinct rise in internal actors in the dataset these past few years, but that is more likely to be an artifact of increased reporting of internal errors rather than evidence of actual malice from internal actors.

They see the data as if the only time they worry about insiders is if they are actually being malicious actors. We see insider issues can be any of three types: Malicious, Intentional Non-Malicious, and Negligent.  They only count one of those categories in their stats and point out that financial attacks by outsiders is the number one thing they find. Fair enough if you don’t count the ways that insiders let them in as part of the problem.

Yet again, they make it very clear that your systems and access is just as valuable to them as money.

When we look at criminal forums and underground data, 5% refer to a “service.” That service could be any number of things including hacking, ransomware, Distributed Denial of Service (DDoS), spam, proxy, credit card crime-related or other illicit activities. Worse still, that “service” may just be hosted on your hardware. The simple fact is this:

If you leave your internet-facing assets so unsecured that taking them over can be automated, the attackers will transform your infrastructure into a multi-tenant environment.

The services criminals provide to attack others could be hosted on your equipment with automated attacks that find the device, load the services and start attacking others within minutes if not seconds. That is why they see the motive behind the attacks more likely start as financial. Once they get whatever they can there they shift to a secondary reason they can use their infiltration into your network or devices.

pasted image 0 2

Who are these financial attackers we speak of? How about organized crime? Just as we have been discussing for over a year now, this is no longer a bunch of people in the dark in a hoodie. If that is what you still picture as a “hacker” it is like imagining what you would think if you see someone walking down the street using an old flip phone. Not the new ones, one of the old ones that were cool in 2006.

pasted image 0 6

How is healthcare

Their summary:

Financially motivated criminal groups continue to target this industry via ransomware attacks. Lost and stolen assets also remain a problem in our incident dataset. Basic human error is alive and well in this vertical. Misdelivery grabbed the top spot among Error action types, while internal Misuse has decreased.Verizon 2020 Data Breach Investigations Report - Healthcare summary

pasted image 0 1

Keep in mind that they classify data breaches in these lists using their standards not the OCR standards. That means that in many cases they are not considered a data breach.

Good news! Healthcare Insider issues have finally gone down but they won’t commit to saying it is a pattern. It went from 23% to 8.7% which is great. But, they were not quite sure if this is just a blip. So we’re not committed to saying it is officially an improvement.

The last little bit that they included about healthcare is more of the scary fun stuff.  They talk about the time required to compromise and exfiltrate data has been getting smaller overall in the data set. But the time for an organization to notice that they’ve been breached isn’t keeping pace. That is the root issue we must all worry about these days. Every trend we are seeing involves less of the automated malware attacks that don’t involve infiltrating your network and more of those that are infiltrating your network.

We all know the world we live in right now is pretty chaotic and people are doing really unexpected things which we call crazy here. With financial gain as the primary objective, the economies of the world experiencing declines due to the virus, the virus pushing us into uncharted territory are just throwing in more fuel for fires to be burning inside your networks and systems. Find a way to take action now to check your security or the ability to get things done could get much harder and more complicated overnight.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.