Most Health Data Breaches Expose Sensitive Information

Marcia Frellick

September 23, 2019

Nearly three fourths (71%) of health data breaches that have occured during the past 10 years exposed protected health information (PHI), including sensitive demographic or financial information, new data show.

Those exposures put 159 million patients at risk for identity or financial fraud, according to an article published online today in the Annals of Internal Medicine.

John (Xuefeng) Jiang, PhD, who is with the Eli Broad College of Business at Michigan State University in East Lansing, and Ge Bai, PhD, CPA, who is with the Johns Hopkins Carey Business School and the Bloomberg School of Public Health in Baltimore, Maryland, analyzed the 1461 PHI breaches that occurred between October 2009 and July 2019.

Two percent of the breaches exposed sensitive medical information, such as substance abuse, HIV status, or mental health status. Those breaches affected 2.4 million patients, the investigators found.

"Notably, 16% of the breaches affecting 6 million patients compromised medical information only, without compromising sensitive demographic or financial information," the authors write.

Until now, damage reports regarding health entities that have been hacked have centered on how many people were affected, but this analysis sheds light on what cyberthieves want.

"Without understanding what the enemy wants, we cannot win the battle," Bai said in a press release. "By knowing the specific information hackers are after, we can ramp up efforts to protect patient information."

Three Categories of Exposures

The authors designated three categories of information that could be exposed, but noted that a single breach could expose several kinds of information:

  • Demographic information (patient name, email address, telephone number, etc), as well as a subcategory of information that is of importance with respect to identity fraud (social security numbers, driver's license numbers, and dates of birth);

  • Financial data (service dates, billing amounts, payment information), including sensitive information (credit card and bank account numbers); and

  • Medical information (diagnosis and treatment information), including sensitive data (information regarding substance abuse, HIV status, mental health, sexually transmitted diseases, etc).

Jiang and Bai found that 964 breaches (66%), which affected 150 million patients, compromised Social Security numbers, driver's license numbers, and dates of birth.

Just more than a third of the breaches (n = 513; 35%) exposed service or financial information. Among the financial breaches, 186 compromised credit cards or bank accounts and affected 49 million patients.

The authors acknowledge that healthcare entities may not know about or report some data breaches, so the list of breaches may be incomplete. The research also relied on US Department of Health and Human Services (HHS) data, which do not include breaches that affect fewer than 500 people. If 500 or more persons are affected, health plans, healthcare clearinghouses, and healthcare providers are legally required to report the breach to HHS.

As federal proposals for data sharing and interoperability grow, the authors say, new policies that require entities to report not only the number of people affected but also the kinds of information exposed could help develop better strategies for protection.

In a study published last year, Jiang and Bai found that more than half of health data breaches were caused by internal mistakes or neglect.

The authors have disclosed no relevant financial relationships.

Ann Intern Med. Published online September 24, 2019. Abstract

Follow Medscape on Facebook, Twitter, Instagram, and YouTube

Have a confidential tip? Contact us

Comments

3090D553-9492-4563-8681-AD288FA52ACE
Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as:

processing....