Data breaches down in retail, but soaring in health care

Holiday shoppers will be pleased to hear that reported data breaches in the U.S. retail industry are down 92 percent from last year. But while Americans' credit card numbers appear to be safer, their medical records are under assault like never before, according to IBM Security.

Hackers compromised nearly 100 million health-care records in 2015, IBM Security data show. That amounts to nearly 1 in 3 Americans.

As retail data breaches fall to a four-year low of 5.7 million, compromises in the health-care sector have soared from 7.8 million in 2014 to 99.6 million this year. The health industry outranked computer services by a small margin in terms of the most records compromised in the first 10 months of 2015.

Among the care providers that reported data breaches this year were Anthem, which said in February nearly 80 million records had been compromised.

Caleb Barlow, IBM Security vice president, told CNBC's "Squawk Box" on Thursday the shift in focus is especially troubling due to the nature of health-care information.

"The problem with the health-care record is it's what we call immutable data. It isn't easy to change," he said.

"You can't call somebody up and say, 'Hey, give me a new health-care record.' It's stuck with you for the rest of your life, so this information in the health-care record could be used 20 years from now to establish credit, file a tax return on your behalf, or file a false medical claim."

Health data has a high resale value on the black market, Barlow said. The only way to protect it is through encryption, he said.

"If there's a back door, someone will find a way to exploit it, and the adversary we're up against here is large teams that are well organized," he said. "If they were encrypted, the attackers might have gotten access to the data, but it would have been useless zeroes and ones that they wouldn't know what to do with."

The decline in reported attacks at stores does not mean shoppers can rest easy.

While big retailers have gotten better at fending of cyber attacks, hackers have shifted their focus within the sector to small businesses, which typically have fewer resources to defend against breaches, IBM Security said.