Most Data Stolen From Hospitals Include Items Used in Identity Theft, Study Finds

More than 70% of hospital data breaches include the theft of sensitive items like patients’ Social Security or credit card numbers, as well as birth dates, which could lead to identity theft or fraud, according to a report published today in Annals of Internal Medicine.¹

Researchers from Michigan State University (MSU) analyzed data from 1461 breaches over the past 10 years to understand what hackers are looking for when they compromise hospital data. Both the frequency and seriousness of these incidents have escalated in recent years, as health systems increasingly rely on data sharing for diagnosis and treatment.

In March, the HHS Office of Civil Rights, which tracks breaches involving at least 500 people, reported 44 incidents involving more than 963,000 people, the highest number in a single month ever. For 2018, the total number of breaches was 365, up from 358 in 2017, and HHS fined healthcare entities $29 million in penalties for violations of the Health Insurance Portability and Accountability Act.

Because of the rich information they contain, stolen healthcare records are considered far more valuable on the black market than an individual Social Security or credit card number. Estimates for a healthcare record are reported at $50. Besides theft, other incidents involve ransomware, in which hackers block access to a healthcare information system until a fee is paid. Last week, for example, the small Campbell County Health System in Wyoming suffered a ransomware attack and had to divert emergency patients elsewhere.

According to the journal, this study was the first in which researchers systematically classified the kind or amount of protected health information stolen during hospital breaches. Before now, there has never been a complete picture of what consumers face from these events.

The breaches involved a total of 169 million people, and covered a period from October 2009 through July 1, 2019. The authors categorized the personal health information that was compromised into 3 types:

(1) demographic information, which included patient names, email addresses, phone numbers and personal identifiers; the researchers further identified sensitive information that includes Social Security numbers and dates of birth; all these items could be exploited for identify theft.

(2) financial information, which included service dates, billing amounts, credit card numbers, and banking account information; these items could be used to commit financial fraud.

(3) clinical information, such as diagnoses and treatment; they further identified substance abuse treatment information, or whether the patient had cancer, HIV, or a mental health issue.

“Within medical information, we classified information related to substance abuse, HIV, sexually transmitted diseases, mental health and cancer as sensitive medical information because of their substantial implications for privacy,” John (Xuefeng) Jiang, PhD, lead author and MSU professor of accounting and information systems, said in a statement.

“All 1461 breaches involved at least 1 piece of demographic information,” the authors wrote. “In particular, 964 breaches (66%) affecting 150 million patients (89%) compromised sensitive demographics,” such as Social Security numbers, driver’s license information, or dates of birth.

“The major story we heard from victims was how compromised, sensitive information caused financial or reputation loss,” Jiang said. “A criminal might file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach.”

The study found that more than 70% of the breaches compromised sensitive demographic or financial data, and more than 20 breaches compromised sensitive health information, which affected 2 million people.

The authors noted that their findings come as HHS and Congress seek to increase sharing of healthcare information through legislation that would improve interoperability. They promised to work with lawmakers to improve data security while improving the usefulness of data.

“Policymakers may consider requiring entities to provide standardized documentation of the types of compromised [protected health information], in addition to persons affected, when reporting breaches,” they wrote.

Reference

Jiang JX, Bai G. Types of information compromised in breaches of protected health information [published online September 23, 2019]. Ann Intern Med. doi: 10.7326/M19-1759.