Healthcare News & Insights

Data breaches: Researchers advocate for sharing what, not just how much, is leaked

Researchers are urging hospitals to not just tally the number of patients exposed in the event of a data breach, but reveal the types of data exposed to both better understand consequences and create better security practices. 

A paper published Sept. 23 in the Annals of Internal Medicine shows 94% of patients – about 159 million – affected by a healthcare data breach since October 2009 had sensitive demographic information compromised.

Social Security numbers and financial data like credit card numbers or bank account numbers are considered most likely to result in identity theft compared to gender, ethnicity or address information within patients’ records.

The researchers looked at 1,461 breaches reported by 1,388 entities to the U.S. Department of Health and Human Services since October 2009. All involved at least one piece of demographic information.

What’s being compromised

The review of the 1,461 breaches showed:

  • Two-thirds, or 964 breaches in the past 10 years, compromised patients’ sensitive demographic information such as Social Security numbers and driver’s license numbers.
  • Thirty-five percent compromised service or financial information. Of those breaches, 186 (13%) of them affected 49 million patients’ sensitive information like credit card numbers.
  • The combination of these categories means 71% of the breaches affecting 159 million patients exposed the sensitive demographic or financial information that could be exploited for identity or financial fraud.
  • 2.4 million patients – or those involved in 2% of the breaches – had sensitive medical information compromised that could potentially threaten clinical privacy. Researchers classified substance abuse, HIV, sexually transmitted diseases, mental health and cancer as the most sensitive medical information.

“Current reporting requirements, academic research and public attention regarding consequences of protected health information breaches are primarily focused on the number of affected patients rather than the types of compromised protected health information, limiting the potential to manage the risk for breach effectively,” the paper’s author said in a related article.

Data breach incidents also appear to be on the rise. According to Protenus and, the number of incidents between January and June of this year are more than double those that occurred for the entire year in 2018.

“So far in 2019, there have been 285 breach incidents disclosed to the U.S. Department of Health and Human Services or the media from January to June 2019. Details were disclosed for 240 of these incidents, affecting nearly 32 million patient records,” Protenus found.

The consistent invasion of privacy through criminal activity hasn’t sit well with health care clients. A recent Harvard T.H. Chan School of Public Health and Politico survey showed that only 17% of patients have a “great deal” of faith that their health plan will protect their data, and only 24% trust their hospital to keep their data safe.

To regain patients’ trust, hospitals need to be vigilant with their security practices, working with IT to make sure systems are regularly updated and data is protected with passwords and encryption. Employees should also be regularly trained on breach-prevention techniques.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.