More than 70% of healthcare data breaches in the U.S. have involved sensitive demographic or financial information that could fuel identity theft, a new study suggests.
When a healthcare company is hacked, criminals gain access not only to health information, but also to demographic and financial data that could compromise patients’ privacy and financial security, researchers from the Michigan State and Johns Hopkins report.
Media reports often focus on the numbers of patients affected by these breaches, but what may be more important is the kind of data that has been stolen, they write in Annals of Internal Medicine.
Theft of medical data may not affect patients much because there isn’t a big market for it, said the study’s lead author, Xuefeng Jiang, a professor of accounting and information systems at the Eli Broad College of Business at Michigan State University.
“But social security numbers, credit card numbers and demographic data (such as names, birth dates, and other personal identifiers) can be sold on the dark web,” Jiang said. “The main message for hospitals and health care providers is, if you have limited resources to safeguard information, you should put more emphasis on the sensitive kinds of information that can be sold on the dark web.”
For patients, the advice is to look past the numbers in media reports and focus on what types of information have been compromised, Jiang said.
To take a closer look at the kinds of data that get stolen in healthcare data hacks, Jiang and his coauthor pored over U.S. Department of Health and Human Services records on breaches that occurred between 2009 and 2019.
The HHS requires all health plans, health care clearing houses and health care providers to notify the agency after a hack and it publishes information online whenever a breach affects 500 or more people.
After examining the hacks of 1,461 healthcare organizations, the researchers found that all involved at least one piece of demographic data. In 964 breaches, which affected 150 million patients, sensitive information, including social security numbers, drivers’ license numbers, and dates of birth, was compromised. Those breaches accounted for 66% of the hacks examined by the researchers.
A total of 513 breaches, or 35%, left service or financial information vulnerable. In 186 of the 513, which affected 49 million patients, compromised sensitive financial information, including credit card and bank account numbers.
Overall, 71% of the hacks that occurred over the 10-year study period, affecting 159 million patients, compromised sensitive demographic or financial information that could be used in identity theft and financial fraud, the researchers concluded.
The new study is “important,” said Michael Pencina, a professor of biostatistics and bioinformatics and vice dean for data science and information technology at the Duke University School of Medicine in Durham, North Carolina.
“They make a good point that we need to care as much about the type of information that is hacked as the number of individuals affected,” Pencina said. “Still, whether it’s medical, demographic or financial information, that’s the stuff I don’t want in somebody else’s hands.”
As hacks become increasingly common, IT specialists debate the best way to keep data safe, Pencina said. “Is it safer to have data stored on a server locally or does it make more sense to store everything using the cloud,” he said.
While the companies offering cloud storage might be bigger targets, they also have more tools to protect against hacking, Pencina said.