One out of every three Americans was affected by a healthcare record breach last year, or more than 113 million people, up more than 10-fold from 12.6 million in 2014, according to a report released this morning by Bitglass.
Types of breaches changed dramatically, as well. In 2014, 68 percent of breached medical records were due to lost or stolen devices, but that percentage dropped to 2 percent last year.
Instead, in 2015, 98 percent of lost records were due to large-scale breaches.
"Lost and stolen devices have traditionally been the biggest source or compromised medical records," said Rich Campagna, vice president of products at Bitglass. "And that's completely switched."
One reason is that financial institutions have worked hard to reduce the value of stolen credit card numbers, he said, by quickly canceling and re-issuing stolen cards. Healthcare information, however, which includes insurance data, addresses, Social Security numbers and birth dates, continues to hold its value over time.
Meanwhile, healthcare organizations have locked down their devices.
There were a total of 140 breaches in 2014 due to loss or theft, and that dropped to just 97 last year.
"Last year, a much higher percentage of devices have shipped with encryption enabled," Campagna said.
Cyber attackers tended to use standard methods to compromise healthcare organizations last year, he added, using phishing to get employee credentials than leveraging those credentials to get at the data itself.
"It's striking how run-of-the-mill these attacks have been," he said.
He recommended that companies train employees to spot phishing attacks, keep an eye out for similar-looking domains used to host spoofed corporate login or HR screens, and introduce two-factor authentication for suspicious logins.
"An employee logging in from a computer inside the network, it might be a low-risk situation," he said. "But if an employee is logging in from North Korea on an Android device -- when they previously only used iPhones -- that could be flagged."
In fact, many healthcare organizations are missing the opportunity to take advantage of two-factor authentication systems that are already in place.
For example, 37 percent of healthcare organization were using Google Apps or Office 365 in 2015, up from 8 percent in 2014.
But only 5.2 percent were using the single sign-on feature of these platforms, a basic security precaution.
"A lot of healthcare organizations are moving away from on-premises applications to the cloud," Campagna said.
"That makes the other types of authentication techniques, like multi-factor, much more important. It can be secure, but only if the cloud applications are used in a secure fashion."