Stolen Hospital Records Could Lead to Identity Thefts, Fraud
Thu, April 22, 2021

Stolen Hospital Records Could Lead to Identity Thefts, Fraud

Continuously developing technology not only provide healthcare with better treatments, but it also helps the industry get better information about patients. Access to electronic medical records gives hospitals the opportunity to provide better care for patients—and can even be the difference between life and death.

So when a hospital gets hacked, there is more information stolen than just credit card data and social security numbers. Hospital breaches lead to stolen sensitive health information crucial to the development of treatment and cures. Stolen data may also fuel identity theft, fraud, and compromise patients' privacy.

A new study from Michigan State University (MSU) and Johns Hopkins University (JHU) looked at what kind of data is stolen and leaked through hospital breaches. It analyzed 1,461 hacks from 1,388 facilities (with some having been attacked multiple times) between October 21. 2009 and July 1, 2019.

Uncovering exposed information

For the study, the researchers classified hospital data into three categories: demographic (e.g. names, emails, other personal identifiers), service or financial information (e.g. service date and payment information), and medical information (e.g. diagnoses and treatments.

They also classified social security and driver's license numbers as sensitive demographic information, as well as payment cards and banking accounts as sensitive financial information, as these can be used for identity theft or financial fraud.

"Within medical information, we classified information related to substance abuse, HIV, sexually transmitted diseases, mental health, and cancer as sensitive medical information because of their substantial implications for privacy," John (Xuefeng) Jiang, lead author and MSU professor of accounting and information systems, said in a statement.

The researchers found that sensitive demographic and financial data make up a total of 70 percent of hospital hacks over the 10-year study period. Attackers could use such information to steal the patients' identity or commit financial fraud using the patients' names.

They also found that a total of 169 million people have had some form of information exposed because of hackers—two million of which are compromised of sensitive health information from 20 breaches.


The breakdown

Researchers used data from the US Department of Health and Human Services (HHS), which requires health plans, health care clearinghouses, and health care providers to report hacking incidents. The HHS also publishes information about a breach that affects 500 people or more online.

According to Reuters, the researchers found that all hacking incidents from October 2009 to July 2019 involved at least one piece of demographic data. Results show that 150 million patients from 964 breaches have had their sensitive information comprised—accounting for 66 percent of hacks analyzed.

The news agency adds that 35 percent (513) breaches compromised service or financial information vulnerable, and 186 of which affected 49 million patients' sensitive financial data.

Meanwhile, 16 percent of breaches compromised medical information that affected six million patients (exclusive of demographic or financial information). Forbes says only two percent of breaches involved the theft of such information and impacted 2.4 million patients.

Compromised information has caused financial or reputation loss for most patients, Jiang said. He added that hackers might use this information to "file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach."

The researchers were able to classify the kind and amount of public health information that is disclosed through breaches, providing them an accurate picture of the consequences.

Better protection of patient data

The results of the study offer healthcare institutions suggestions on how they can enforcement better protection of sensitive patient information. 

"Without understanding what the enemy wants, we cannot win the battle," said Ge Bai, co-author and an associate professor of accounting at Johns Hopkins Carey Business School and Bloomberg School of Public Health.

"By knowing the specific information hackers are after, we can ramp up efforts to protect patient information."

According to the researchers, health regulators like the HHS should conduct a formal gathering of the kind of information commonly compromised in hacking incidents in an effort to help the public assess the possible damages.

Over half of the breaches could be attributed to internal mistakes or negligence, according to Jiang. This includes not encrypting laptop computers, using "carbon copy" in emails instead of "blind carbon copy," and not revoking former employees' login credentials following the termination of their employment.

Focusing on securing information—especially if they have limited information—could help healthcare providers effectively reduce the risks of data breaches, Jiang said. He noted the HHS's recently proposed rules that encourage more data-sharing, which the author said increases the risk of compromising sensitive information.

Instead, the researchers suggest using separate data-sharing systems. For instance, using one storage and sharing system medical information accessible only between healthcare provider researchers while hospital and administration staff exclusively store, share, and are given access to demographic and financial information in another system.

"Don't worry about sharing [medical] information with your doctors," Jiang said, addressing those who are concerned about disclosing medical information.