Dive Brief:
- More than 70% of all hospital data breaches include sensitive demographic or financial information that could lead to fraud or identity theft, according to a new study published in Annals of Internal Medicine analyzing almost 1,500 breaches of protected health information over the past decade.
- Each breach included at least one piece of demographic information, such as names, email addresses and other personal identifiers. Two percent of the breaches compromised sensitive medical information, threatening the health privacy of 2.4 million patients.
- Researchers suggest policymakers require health systems and other companies provide standardized documentation of what data was compromised following a breach in addition to the number of patients affected.
Dive Insight:
Americans largely don’t trust the healthcare system to secure their data, and one doesn’t have to dig hard to find out why. In 2018, the healthcare sector retained the dubious honor of being the industry with the most data breaches, and less than a quarter of the country trusts health systems to protect their information, according to an August survey by the Harvard T.H. Chain School of Public Health.
Past work on the dire state of cybersecurity in healthcare has focused on the breadth of information accessed or how many patients were affected. This research, undertaken by researchers from Michigan State University and Johns Hopkins University, looked at what type of data is most commonly affected.
Of the 1,461 breaches between October 2009 to July 2019 analyzed, 71% included highly sensitive demographic or financial information that could be used for identity theft or other forms of consumer fraud, affecting 159 million patients. Over that time period, breaches spanned 1,388 healthcare companies.
A total of 513 breaches, or 35% of the aggregate, compromised service or financial information. Among those, 186 breaches compromised sensitive credit card or bank account information.
A total of 944 breaches (65%) compromised the clinical information of patients. Of those, 22 cases or 2% involved sensitive information around substance abuse, HIV, sexually transmitted diseases, mental health and cancer. Though 2% seems small, that’s 2.4 million Americans.
HHS first began requiring healthcare providers and their business associates to publicly disclose data breaches involving 500 people or more roughly a decade ago. Last year, nearly 300 breaches exposed the records of 11.5 million patients, and one single cybersecurity breach this year hitting the billing collection vendor for lab giants Quest Diagnostics and LabCorp affected the data of nearly 20 million patients.
Though data security across the healthcare ecosystem is lacking, the Trump administration continues to push for free, unfettered information sharing between healthcare entities. HHS released twin rules in February to implement the information blocking provisions of the 21st Century Cures Act and speed industry interoperability to heavy subsequent pushback from payers, providers and health IT companies.
The researchers of the Annals report reiterated perennial concerns about walking the fine line between data sharing and patient privacy. “Considering the fundamental tradeoff between data access and data security, it is critical to limit the risk for protected health information breaches,” they wrote.