All industries are affected by cyberattacks, but how often and to what extent they occur vary greatly by industry type.
As for frequency, the healthcare industry in 2016, for the third year in a row, saw the greatest number of incidents and by a wide margin. Specifically, about 35 percent of the incidents we handled last year involved the healthcare industry. This is a marked increase from last year’s report with healthcare – still the leading industry by frequency of incident – representing about 23 percent of incidents we worked on. Why is healthcare affected so frequently? One reason is that stolen electronic medical records are significantly more valuable on the black market than most other stolen personal information such as payment card information or Social Security numbers. Additionally, being the victim of medical-related information theft may take longer to discover and fix than other types of identity theft do, thereby allowing the bad actors more time to monetize the stolen information. While it is hit the most, the healthcare industry is not hit the hardest.
As for severity, the retail/restaurant/hospitality industry was hit the hardest – by far. The average size incident in this industry affected about 297,000 individuals. This figure is nearly five times greater than the average number affected by an incident in the healthcare industry (about 61,000). The ubiquitous nature of payment card use in today’s society partially explains why the number of affected is so large in this industry.
Data security incidents in the government sector represented about 5 percent of the BakerHostetler-assisted incidents. Government incidents, while low in numbers of incidents, typically affect a large number of individuals. Last year, for government-related incidents, BakerHostetler notified on average about 134,000 individuals, which is second-highest (behind the retail/restaurant/hospitality industry) in terms of severity.
There is one constant, however. Data incidents happen to companies regardless of their size (and sophistication), and those incidents are distributed fairly evenly across company size. According to our numbers, 29 percent of the incidents we handled were for clients with over $500 million in annual revenue, 33 percent were for clients with annual revenue between $100 million and $500 million, and 39 percent had annual revenue less than $100 million.