>>How trustworthy / complete (from a statistical sampling POV, as in "not skewed") do you believe your base info to be?

Under US HIPAA legislation, failure to self-report a breach has severe employment and legal consequences, especially if somebody else reports it. All breaches affecting more than 500 patient records are investigated by authorities. The data are analysed and publicly reported.

The stats say that up to a half of breaches and up to 80% of compromised patient records, result from loss or theft of mobile devices. This means that people with power to grab large chunks of data, continue to store it insecurely on mobile devices seven years after the HIPAA legislation was introduced. A doctor or nurse continuing to defy the law in that fashion, could expect to be sued to heck and back but instead the people supposed to guard against such negligence, attend cyber threat conferences in Las Vegas where they strain at gnats. ;-)

>>While looking at latest breaches will give you probably better protection than my theorizing, quite a few things I found roboting with IE3-6 last millenium were later used as attack vectors, so I try to keep my danger radar in tune ;-)

Certainly agree that unrepaired attack vectors can turn the data on its head. However, inside or outside healthcare I seem to recall a consistent theme of complicit or negligent insiders and slack adherence to obvious best practice, like expedient sharing of user logins, widely known SA passwords and lazy caches of data all over the place.