A new research study has revealed the extent of damage when hospitals and other medical institutions suffer a data breach. The researchers said that patients whose data will be included in the breached hospital records could also be a victim of bigger crimes like identity theft and financial fraud.
Researchers from Michigan State University (MSU) in East Lansing and Johns Hopkins University in Baltimore, MD, published a study entitled “Types of Information Compromised in Breaches of Protected Health Information” at the Annals of Internal Medicine journal. The study revealed in details what types of information are compromised when a hospital suffers a data breach and what would the hacker/s do to the information they gathered from hospital records.
John (Xuefeng) Jiang, lead author and MSU professor of accounting and information systems said that there are severe consequences that will face people whose data was included in medical data breaches. He said that patients would not only be subject to financial fraud and identity theft; their medical data will also be used to be misused in one way or another.
“The major story we heard from victims was how compromised, sensitive information caused financial or reputation loss,” says Prof. Jiang. “A criminal might file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach.”
Based on the study, there are an estimated 461 data breaches that took place over ten years from 2009 to 2019. The data breaches collectively have impacted at least 169 million people. The methodology of the study includes dividing the data they have gathered regarding the data breaches in the medical industry in the past ten years into different categories.
The first category is demographic data. The first category refers to data breaches that have exposed at least the demographic data such as names, email address, physical address, age, and gender of the patients. The second category is financial information, which pools data breaches that leaked financial-related data, including date of service, billing amount, and payment information. Finally, the third category refers to medical information which includes patient data like diagnosis and treatment programs.
The researchers further organized demographic information by categorizing social security numbers and birth dates into “sensitive demographic information,” and financial information, which included payment cards and banking details, into “sensitive financial information.” For compromised medical information, the scientists placed specific diagnoses and treatment options in a “sensitive medical information” category.
Sensitive medical information, according to the researchers, includes HIV status, sexually transmitted diseases, substance abuse, mental health, and cancer. Disclosure of these types of information may lead to severe violations of privacy rights of patients, the study noted.
The study reveals that at least 70% of the data breaches in the past ten years have disclosed sensitive demographic and financial data. Based on the interpretation of the researchers, the most likely reason for these types of data breaches was to use the scraped information to commit identity theft and financial fraud.
Nonetheless, at least 20 of the analyzed data breaches have illegally disclosed sensitive medical information of hospital patients. Aggregately, these data leaks have impacted more than 2 million individuals.
Understanding the motivation behind the data breaches that affected the medical field is a key ingredient in fighting the scourge of data breaches in the industry, the researchers said.
“Without understanding what the enemy wants, we cannot win the battle,” says Ge Bai, associate professor of accounting at Johns Hopkins Carey Business School and Bloomberg School of Public Health. “By knowing the specific information hackers are after, we can ramp up efforts to protect patient information.”