Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information

In 2019, it was alarming that healthcare data breaches were being reported at a rate of more than 1 a day. In 2021, there have been several months where healthcare data breaches have been occurring at a rate of more than 2 per day. With data breaches occurring so regularly and ransomware attacks disrupting healthcare services, it is no surprise that many patients do not have much trust in their healthcare providers to protect sensitive personally identifiable information (PII).

That has been confirmed by a recent survey conducted by Dynata on behalf of Semafone. 56% of patients at private practices said they do not trust their healthcare providers to protect PII and payment information. Smaller healthcare providers have smaller budgets for cybersecurity than larger healthcare networks, but trust in large hospital networks is far lower. Only 33% of patients of large hospital networks trusted them to be able to safeguard their PII.

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, has stepped up enforcement of compliance with the HIPAA Rules in recent years and is increasingly imposing financial penalties for HIPAA Privacy and Security Rule violations. The survey confirmed that patients want healthcare providers to face financial penalties when they fail to ensure the confidentiality of healthcare data. 9 out of 10 patients were in favor of financial penalties for healthcare providers that fail to implement appropriate protections to prevent healthcare data breaches.

Further, when data breaches occur, patients are willing to switch providers. 66% of patients said they would leave their healthcare provider if their PII or payment information was compromised in a data breach that occurred as a result of the failure to implement appropriate security measures. Another 2021 survey, conducted on behalf of Armis, had similar findings. 49% of patients said they would switch provider if their PHI was compromised in a ransomware attack.

The pandemic has increased the risk patients face from healthcare data breaches. Before the pandemic, many patients paid their medical bills in person or by mail, but the Semafone survey showed both payment methods are in decline, with many patients now choosing to pay electronically. There has been a 28% fall in in-person payments and a 17% drop in mail-in payments. With financial information more likely to be stored by healthcare providers, the risk of financial harm from a data breach has increased substantially.

Semafone explained in its 2021 State of Healthcare Payment Experience and Security Report that the increase in healthcare data breaches has led to patients having a heightened sense of awareness and interest in the processes their providers take to protect their information. Semafone suggests healthcare providers, and especially large hospital networks, need to pay more attention to the digital transformation measures they take to keep sensitive information secure.

“Regardless of size, the entire healthcare industry must do better at navigating and preventing data breaches,” said Gary E. Barnett, CEO of Semafone. “The sheer number of breaches in and out of healthcare is problematic. Fortunately, there are solutions that provide security and help meet compliance standards, but many of today’s companies still rely on outdated processes for operations. It is no longer acceptable to claim they aren’t aware that highly efficient, effective, and automated solutions exist to save time, money, and risk. Healthcare organizations must seek the right technologies and processes to protect the patient experience.”

While most patients (75%) said they feel confident that their healthcare providers are doing a good job at disclosing how payment information is secured, only 50% said they know where their payment data was stored. “As a patient, understanding where and how personal and payment information is stored is important to protect against potential fraud and breaches,” explained Semafone in the report. “Given the large number unaware of where their data is stored, providers have an opportunity to increase education and communication with patients to, in turn, improve the experience and overall sentiment toward the providers for the future.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.