Over 70% of hospital data breaches include confidential personal or financial information that could lead to identity theft
Researchers analyzed 1,461 breaches of protected health information over the past 10 years to understand the types of information that were compromised in these cyber attacks
More than 70% of hospital data breaches include sensitive demographic or financial information that could lead to identity theft or fraud, according to an analysis, which reveals what information was compromised for about a decade.
Around 169 million people have had some form of information exposed because of hackers, according to researchers from Michigan State University and Johns Hopkins University.
When hospitals are hacked, criminals gain access to confidential health, demographic, and financial information that compromise patient privacy and financial security. After such incidents, the public mostly hears about the number of victims, but not about the type of information the cybercriminals stole.
Until now, says the team, researchers have not been able to classify the kind or amount of public health information leaked through breaches. Therefore, they have not been able to get an accurate picture of the "breadth or consequences" of such incidents.
"The major story we heard from victims was how compromised, sensitive information caused financial or reputation loss. A criminal might file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach," says John Jiang, lead author and Michigan State University professor of accounting and information systems.
The study — which examined 1,461 breaches that happened between October 2009 and July 2019 — details the specific data leaked through hospital breaches. The researchers classified data into three categories: demographic, which included names, email addresses and other personal identifiers; service or financial information, such as service date, billing amount, payment information; and medical information, such as diagnoses or treatment.
Social security, driver's license numbers and birth dates were categorized as sensitive demographic information. Payment cards and banking accounts were classified by the team as sensitive financial information.
"Both types can be exploited for identity theft or financial fraud. Within medical information, we classified information related to substance abuse, HIV, sexually transmitted diseases, mental health, and cancer as sensitive medical information because of their substantial implications for privacy," says Jiang.
The researchers found that all 1,461 breaches contained at least one piece of demographic information. Further, 71% of the breaches, which affected 159 million patients, compromised sensitive demographic, or financial information that could be exploited for identity or financial fraud. More than 20 breaches compromised confidential health information, which affected at least two million people.
"Two percent of the breaches, affecting 2.4 million patients, comprised sensitive medical information, potentially threating their clinical privacy," says the study published in Annals of Internal Medicine.
"Without understanding what the enemy wants, we cannot win the battle. By knowing the specific information hackers are after, we can ramp up efforts to protect patient information," says co-author Ge Bai, associate professor of accounting at Johns Hopkins Carey Business School and Bloomberg School of Public Health.
According to the research team, hospitals and other healthcare providers could effectively reduce data breach risks by focusing on securing information if they have limited resources. For example, says the team, hospitals can implement separate systems to store and communicate sensitive demographic and financial information.
The health department and other regulators should formally collect the types of information compromised in a data breach to help the public assess the potential damages, suggests the research team.
"The findings indicate that policymakers may consider requiring entities to provide standardized documentation of the types of information compromised, in addition to the number of persons affected, when reporting on protected health information breaches," says the study.