Printer Friendly, PDF & Email

How effective information governance can help mitigate damages from an information breach

Brian D. Annulis ( is Senior Managing Director, Joseph Shepley ( is Managing Director, and Samir B. Almhiemid ( is an Associate at Ankura Consulting Group LLC Chicago, IL.

Healthcare organizations today face unprecedented challenges managing and protecting their sensitive electronic information—not only electronic protected health information (ePHI) but other high-value, high-risk data such as personally identifiable information (PII), payment card industry (PCI), network access credentials, and financial data. Prior to 2020, cyberattacks had been on a steady year-over-year increase, but in 2020, this steady increase turned into explosive growth.

Healthcare experienced a more than 9,000% increase in endpoint attacks compared to 2019, which led to approximately 1 million patient records breached per month.[1] The U.S. Department of Health & Human Services Office for Civil Rights (OCR) breach data[2] shown in Figure 1 tells a similarly alarming story: in 2020, there were 188 reported breaches of network servers[3] involving 500 or more individuals—a more than 400% increase compared to 2019 and a more than 200% increase compared to 2017, which was the previous high-water mark for reported network server breaches. Beyond the typical impacts of these attacks, such as regulatory fines, sanctions, and mandated corrective action plans, 2020 also saw the first-ever reported loss of life due to a cyberattack: in September, a German patient died during a ransomware attack when being rerouted to another healthcare facility to receive care.[4]

Figure 1: Number of breaches and lives affected 2011–2020
This document is only available to members. Please log in or become a member.