More than 70% of hospital data breaches include sensitive demographic or financial information that could lead to identity theft.
Most hospital data breaches expose sensitive demographic or financial information that could lead to identity theft, according to a report in the Annals of Internal Medicine Monday afternoon.
A joint research project between Michigan State University and Johns Hopkins University found that in a pool of more than 1,400 patient health information (PHI) breaches over the past decade, all of them contained at least one piece of demographic information.
Two-thirds of breaches affected 150 million patients, compromising demographic information that included Social Security numbers, driver's license numbers, or dates of birth.
Seventy-one percent of breaches affected 159 million patients, compromising sensitive demographic or financial information that could be "exploited for identity or financial fraud." This included service dates, billing amounts, and payment information, among other important metrics.
The study concludes that lawmakers should consider requiring health systems to disclose what information was compromised in a data breach in addition to the amount of patients affected. According to researchers, HHS does not publish information about PHI breaches affecting fewer than 500 patients.
This spring, both the Department of Health and Human Services (HHS) and Congress proposed policies to enhance interoperability and the sharing of electronic patient information between health systems.
Despite the push to share more data, the study acknowledged that data breaches affect thousands of patients each year and might increase as a result of such policies.
Related: Living in the Healthcare Data Breach Era
John (Xuefeng) Jiang, PhD, Plante Moran Faculty Fellow at Michigan State University, told HealthLeaders that while providers might be concerned about sharing PHI with other facilities due to the risk of a data breach, those worries might be overblown.
"Given that medical information is the least likely breached, maybe healthcare providers should share more medical and clinical information with other healthcare providers to provide better care," Jiang said. "[Providers should] realize that most of the information in a data breach, more than 70%, is financial information [that] a bad guy can make money from directly."
Related: What One Hospital Learned From a Ransomware Attack
Related: Cybersecurity is Top Issue for Hospital IT Professionals, Creating New Workforce Dynamics
Beyond compromised financial information, 65% of breaches compromised medical or clinical information, with 2% compromising sensitive medical information.
However, only 16% of breaches affected patients' medical information but did not compromise sensitive demographic or financial information.
In examining PHI breaches, Jiang said that nearly half could be attributed to internal mistakes or negligence by provider organizations.
One solution Jiang offered was limiting the use of mobile devices, as they have been linked to additional data security risks.
Related: Health Insurers Make It Easy for Scammers to Steal Millions. Who Pays? You.
Jack O'Brien is the Content Team Lead and Finance Editor at HealthLeaders, an HCPro brand.