New research examines the information that may leak during hospital data breaches.
Recent research identifies what types of information hackers steal during a hospital data breach.
Researchers from Michigan State University (MSU) in East Lansing and Johns Hopkins University in Baltimore, MD, revealed what types of data leak from secure servers during hospital data breaches. They published their study in the Annals of Internal Medicine.
This type of data breach can have severe consequences for the people whose information the hackers obtain says John (Xuefeng) Jiang, lead author and MSU professor of accounting and information systems. He adds that it is not always financial fraud or identity theft that happens as a result. It can also lead to the misuse of sensitive, medical information.
Potential for fraud, identity theft, and more
“The major story we heard from victims was how compromised, sensitive information caused financial or reputation loss,” says Prof. Jiang. “A criminal might file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach.”
This is the first research that has revealed details on the types and amount of public health information obtained through hacking incidents. The researchers estimate that the 1,461 data breaches that took place over 10 years from 2009 to 2019 impacted 169 million people.
To identify what data was at risk, researchers divided information into one of three categories: demographic information, which includes names and email addresses; financial information, including date of service, billing amount, and payment information; and medical information, which includes items such as diagnoses and treatment.
The study authors broke down demographic information further by categorizing social security numbers and birth dates into “sensitive demographic information,” and financial information, which included payment cards and banking details, into “sensitive financial information.”
These categories are ripe for exploitation from those who want to commit identity theft or financial fraud.
Knowing the target is a key part of the battle
For compromised medical information, the researchers placed specific diagnoses and treatment options in a “sensitive medical information” category. These included HIV status, sexually transmitted diseases, substance abuse, mental health, and cancer. These had the potential for severe privacy violations for the people involved.
Around 70% of the data breaches involved sensitive demographic or financial information. This means that identity theft and financial fraud may be the goal of the majority of those who hack this sort of information.
However, 20 of the data breaches compromised sensitive medical information, which affected around 2 million people.
“Without understanding what the enemy wants, we cannot win the battle,” says Ge Bai, associate professor of accounting at Johns Hopkins Carey Business School and Bloomberg School of Public Health. “By knowing the specific information hackers are after, we can ramp up efforts to protect patient information.”
Future steps and implications of the study
Those involved in this study recommend that regulators, such as the Department of Health, make an effort to formally collect the types of information that leak out during a data breach and inform the public.
They say this will help those affected asses potential damages. Also, institutions that have limited resources could take steps to limit the amount of information accessible to a possible data breach. For example, they could store financial and demographic information on different servers.
The researchers say that another area of concern involves the Department of Health and Human Services and Congress. The organization has recently introduced new rules to encourage more data sharing. According to the researchers, data sharing has the unfortunate side effect of increasing the risk of data breaches.
Plans are already in place, though, for Prof. Jiang and Bai to work with lawmakers and organizations to ensure personal information is as safe as possible.