More than 70% of hospital data breaches compromise information that puts patients at risk of identity theft

About 159 million patients had sensitive information like Social Security numbers or credit card numbers compromised in a hospital data breach in the past 10 years. 

This puts those patients at serious risk of identity or financial fraud.

According to a research paper published in the Annals of Internal Medicine Monday, 94% of all patients affected by a healthcare data breach since October 2009 had their sensitive demographic information, such as Social Security numbers or financial data like banking account numbers, compromised during the breach.

Researchers from Michigan State University and Johns Hopkins University studied 1,461 breaches of protected health information over the past 10 years to examine for the first time the types of information that were compromised in these breaches.

Ongoing healthcare data breaches have eroded patients' trust in the ability of providers and health plans to protect their data. A recent Harvard T.H. Chan School of Public Health and Politico survey showed that only 17% of patients have a “great deal” of faith that their health plan will protect their data, and only 24% trust their hospital to keep their data safe.

While breach reports often focus on how many patients are affected by data breaches, it has not been a requirement to share what types of data were compromised, according to the researchers.

RELATED: 32M patient records breached in 2019. That's double all of 2018, Protenus reports

The researchers looked at 1,461 breaches reported by 1,388 entities to the U.S. Department of Health and Human Services since October 2009. All of the breaches involved at least one piece of demographic information, the analysis found. 

When a hospital data system is hacked, criminals gain access to sensitive health, demographic and financial information that compromises patient privacy and financial security. Looking at the protected health information involved in each of these breaches, the researchers categorized patient information into three buckets: demographic, service or financial information and medical information. The researchers zeroed in on the most sensitive information within those three categories that could likely be exploited for identity or financial fraud.

For example, while demographic information includes patient names, email addresses, phone numbers and other personal identifiers, researchers classified Social Security numbers, driver's license numbers and dates of birth as particularly sensitive demographic information.

With financial information, the researchers were concerned with breaches that exposed patients' payment cards and banking accounts. Researches classified substance abuse, HIV, sexually transmitted diseases, mental health and cancer as the most sensitive medical information because of the substantial implications for clinical privacy. 

The analysis found:

  • About two-thirds of hospital data breaches (66%), or 964 breaches in the past 10 years, compromised patients' sensitive demographic information such as Social Security numbers or driver's license numbers.

RELATED: Clinical Pathology Laboratories the latest company impacted by massive AMCA breach

  • A total of 513 breaches (35%) compromised service or financial information. Of those breaches, 186, or 13%, affecting 49 million patients compromised sensitive financial information like credit cards.
     
  • The combination of those categories represents 1,042 unique breaches. That means 71% of the breaches affecting 159 million patients exposed sensitive demographic or financial information that could be exploited for identity or financial fraud. That's 94% of the 169 million patients affected by a healthcare data breach in the past 10 years.
     
  • Two percent of the breaches affecting 2.4 million patients comprised sensitive medical information, potentially threatening their clinical privacy.

RELATED: Moody's: Cyberattacks could cause significant financial disruption for hospitals

The current reporting requirements, academic research and public attention regarding consequences of protected health information breaches are primarily focused on the number of affected patients rather than the types of compromised protected health information, limiting the potential to manage the risk for breach effectively, wrote the paper's author, John (Xuefeng) Jiang, Ph.D., with the Eli Broad College of Business at Michigan State University.

Going forward, policymakers should focus attention on the type of information compromised in healthcare data breaches in addition to the number of persons affected, Jiang wrote. These findings suggest policymakers may consider requiring entities to provide standardized documentation of the types of information compromised when reporting on protected health information breaches.

Reporting this information will help improve the analysis and understanding of breaches and their consequences, he wrote. And this could help hospitals develop and adopt better security practices for protected health information.