When healthcare facilities, like hospitals and health plans, are compromised and protected health information is exposed, more often than not, that data will aid attackers in commiting identity theft.
According to a new study carried out by two professors - one at Michigan State University, another at Johns Hopkins - 71 percent of breaches over the last 10 years led to the compromise of sensitive data, both demographic and financial, that could go on to be used in identity theft and fraud.
The research letter, Types of Information Compromised in Breaches of Protected Health Information, was recently published in the Annals of Internal Medicine, a medical journal published by the American College of Physicians.
For the study, two professors John (Xuefeng) Jiang, PhD of Michigan State University and Ge Bai, PhD, CPA, an Associate Professor at Johns Hopkins Carey Business School, combed through 10 years of breaches – records from breaches at health plans, healthcare clearinghouses, and healthcare providers, as reported to the U.S. Department of Health and Human Services from 2009 and 2019.
Healthcare orgs are required to report data breaches to the HHS if a breach affects 500 or more individuals.
The researchers found that over that span that 159 million patients had at least one form of PHI compromised. For the research, Jiang and Bai looked at PHI like demographic information (patient names, email addresses, phone numbers); type of service or financial information (service dates, billing amounts, payment information); and medical or clinical information (diagnoses and treatment).
The two looked at 1,461 breaches from 1,388 entities in total. 513 of the breaches left financial data exposed, 186 of those breaches, affecting 49 million patients, left sensitive financial data, like credit card and debit card numbers, exposed.
Medical or clinical information was compromised in 944 breaches affecting 48 million patients. Of these breaches, 2 percent (22 cases) involved sensitive medical information.
The paper is the latest via Jiang and Bai, who last year published a paper that suggested that over the last several years, more PHI is leaked by healthcare providers, not hackers.
The research suggests that when looking at healthcare data breaches, perhaps more of an emphasis should be placed on the diversity of data breached, not just the number of victims. Being cognizant of the different types of PHI that can be exposed in these breaches should help inform organizations when it comes to implementing safeguards and security practices.
“Policymakers may consider requiring entities to provide standardized documentation of the types of compromised PHI, in addition to persons affected, when reporting breaches,” the researchers wrote in the study. “Such information will facilitate the analysis and understanding of breaches and their consequences and the development and adoption of PHI security practices.”
While it's important - and required of healthcare orgs under the Health Insurance Portability and Accountability Act - to protect healthcare data, efforts should be taken to protect supplementary patient data that can be used in identity theft attacks, like social security numbers and financial data.
