A study of 10 years of US hospital data breaches found that sensitive information of 159m patients was leaked, putting them at risk.
A report published in the journal Annals of Internal Medicine claims that more than 70pc of hospital data breaches in the US included sensitive information that could be exploited in identity theft or fraud.
Researchers from Michigan State University (MSU) and Johns Hopkins University studied almost 1,500 breaches of protected health information over a period of 10 years from October 2009 to July 2019. Specifically, they examined the types of information compromised in these breaches, such as names, email addresses and other personal identifiers, as well as service or financial information, and medical information such as diagnoses or treatment.
“The major story we heard from victims was how compromised, sensitive information caused financial or reputation loss,” said John (Xuefeng) Jiang, lead author and MSU professor of accounting and information systems. “A criminal might file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach.”
Classifying compromised data
Social security numbers, driving licence numbers and birth dates were classified as sensitive demographic information, while details of payment cards and banking accounts were classed as sensitive financial information, both of which can be exploited by hackers.
Jiang’s team found that 71pc of breaches compromised sensitive demographic or financial information that could be exploited. This percentage accounts for 159m patients affected.
“Within medical information, we classified information related to substance abuse, HIV, sexually transmitted diseases, mental health and cancer as sensitive medical information because of their substantial implications for privacy,” Jiang explained. A further 2.4m patients (2pc) saw sensitive medical information such as this compromised.
Reducing risk
The researchers hope this study will encourage hospitals and health providers to better protect patients’ sensitive information.
“Without understanding what the enemy wants, we cannot win the battle. By knowing the specific information hackers are after, we can ramp up efforts to protect patient information,” said co-author Ge Bai, associate professor of accounting at Johns Hopkins Carey Business School and Bloomberg School of Public Health.
The researchers suggest that hospitals and healthcare providers implement separate systems to store and communicate sensitive demographic and financial information in order to reduce data breach risks.
The US Department of Health and US Congress, however, recently proposed rules to encourage data sharing, which will improve interoperability in healthcare but will further increase the risk of a breach.
In the case of future public information breaches, the researchers further proposed that these bodies are transparent about the types of information compromised so that the public can assess the potential damages.