CyberGuide - Information Security and Cyber Risk Management

Physical loss/theft of data decreasing but remains challenge for some industries: Data Spotlight

By Rebecca Gainsburg, Advisen

The number of cyber losses stemming from physical theft have decreased over the last decade, but the risk remains a concern for those industries slower to transition to digital.

Physically lost or stolen data used to be one of the most prevalent cyber threats. In 2009 Symantec concluded, “The physical theft or loss of a device containing corporate information is the largest single reason for data breach.”

Although the total number of cyber losses stemming from the physical loss or theft of data has decreased from the late 2000s, these losses are still prevalent in Healthcare, Finance & Insurance, and Public Administration, according to Advisen’s loss database.

Personal Identity Information (PII) Losses by Type

To improve the visualization of this graphic, the percentage of other PII losses has been reduced 75%.

The physical loss or theft of data accounted for a rising proportion of total personal identity information (PII) losses from 2000 to 2010, according to Advisen loss data. From 2011 to 2016, the percentage of PII stolen from the physical loss or theft of data decreased in comparison to other types of PII attacks, before somewhat rising again from 2017 to 2019.

Physical Records Loss by Industry, Frequency

Healthcare, Finance & Insurance, and Public Administration account for nearly three-quarters of all losses resulting from physical theft or loss, according to Advisen loss data. This is likely a reflection of the fact that these three industries collect and store a significant amount of data and have been relatively slow to digitize in comparison to other industries.

A 2021 cybersecurity threat report found 89% of healthcare organizations had patient data lost or stolen in the past two years. Medical records for adults and deceased patients must be kept for at least 10 years after the date of their last medical service in nearly every state. Many of these records are stored in hard-copy.

The sheer amount of records being kept by healthcare organizations makes it easy for large amounts to be misplaced. For example, in 2018 boxes of files containing payment details from 2010 and 2015 to 2017 went missing from a storage facility of a group of Illinois physicians. The missing records affected as many as 22,000 patients, according to Advisen loss data.

Finance & Insurance is another industry which relies on a high volume of paper records – in part because most consumers still prefer to receive paper financial statements.

Public Administration has also been slow to digitize, due to a number of factors including lack of awareness, lack of open-mindedness, and lack of training amongst administrators, as well as insufficient bandwidth, insufficient internet access, and a lack of physical infrastructure. Digitization in the Public Administrative sector is also challenged by the fact not everybody has access to high-speed internet, yet communications must remain accessible to all.

Physical Records Losses by Cause

Printed records and stolen laptops are the greatest source of physical records lost or stolen, according to Advisen data – accounting for nearly three-quarters of total losses.

Best practices for preventing losses from physically lost or stolen data include locking down workstations and laptops, securing files and portable equipment before leaving a workstation, keeping papers, computers and other electronic devices out of sight when stored in cars or homes, and shredding sensitive paper documents before disposing of them.

Data Journalist Rebecca Gainsburg can be reached at [email protected]

To learn more about Advisen’s data call (212) 897-4800 or email [email protected].

*Advisen’s loss data is curated from a wide variety of public sources. Our collection efforts focus on larger and more significant cases. For this reason, the figures in this article may not be fully representative of all cases of this type.