– The majority of data impacted by healthcare breaches could be leveraged by hackers to commit fraud or identity theft, according to a recent study published in the Annals of Internal Medicine.
Researchers from Johns Hopkins University and Michigan State University analyzed claims made to the US Department of Health and Human Services, which includes nearly 1,500 breaches of protected health information over the last 10 years.
The hope was to shed light on the specific details of a breach, as media reports often focus on the number of patients impacted. Further, the type of data compromised during a breach is not always available to the public, which makes it difficult to create a complete story of the breach impact.
Patient data was categorized by demographic details, service or financial data, and medical information. Within these categories, the researchers focused on the data most likely to be exploited for fraud. HIV, substance, abuse, cancer, and other sensitive diagnoses were classified as the most sensitive information, given the privacy implications.
The researchers found that 194 breaches, or 66 percent, exposed sensitive demographic information like Social Security numbers, dates of birth, or driver’s licenses numbers, impacting 150 million patients.
Meanwhile, 71 percent of breaches affecting 159 million patients exposed the demographic or financial information, which puts those patients at risk of fraud or identity theft. The data included billing amounts, payment data, services dates, and other related metrics.
Just 2 percent of the breaches analyzed by researchers exposed medical information, such as diagnoses. However, these impacted 2.4 million patients. And 65 percent compromised general clinical or medical information, which impacted 48 million patients.
On the other hand, 16 percent of breaches impacting 6 million patients only compromised medical information, without demographic or financial data. Overall, all breaches contained at least one demographic detail.
The researchers noted that under current HHS reporting requirements, the focus remains on the number of patients impacted, rather than the type of information. As a result, it’s challenging to manage the risk posed in the aftermath of a breach.
Instead, polices should also draw focus onto the type of information breached in addition to the number of impacted individuals. The researchers recommended entities be required to provide standardized documentation as part of notification requirements to improve analysis and understanding of breach consequences.
The study upholds findings from a recent FireEye report that showed hackers are increasingly targeting providers for financial gain: “Actors buying and selling PII and PHI from healthcare institutions and providers in underground marketplaces is very common and will almost certainly remain so due to this data’s utility in a wide variety of malicious activity ranging from identity theft and financial fraud to crafting of bespoke phishing lures.”