Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches of protected health information over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches.

The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act.

The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches.

“When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected,” explained John (Xuefeng) Jiang, MSU professor of accounting and information systems at MSU and lead author of the study. “We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach.”

Types of Data Exposed in Healthcare Data Breaches

For the study, the researchers categorized healthcare data into three main groups: Demographic information (Names, email addresses, personal identifiers etc.); service and financial information (Payments, payment dates, billing amounts etc.); and Medical information (Diagnosis, treatments, medications etc.)

Social Security numbers, drivers license numbers, payment card information, bank account information, insurance information, and birth dates added to a subcategory of sensitive demographic information. This information could be used by criminals for identity theft, medical identity theft, tax and financial fraud. A subcategory of medical information was also used for particularly sensitive health data such as substance abuse records, HIV status, sexually transmitted diseases, mental health information, and cancer diagnoses, due to the potential implications for patients should that information be exposed or compromised.

Key Findings of the Study

  • 71% of breaches involved either sensitive demographic information or sensitive financial information, which placed 159 million individuals at risk of identity theft or financial fraud
  • 66% of breaches involved sensitive demographic information such as Social Security numbers
  • 65% of the breaches exposed general medical or clinical information
  • 35% of breaches compromised service or financial information
  • 16% of breaches only exposed medical or clinical information without exposing sensitive demographic or financial information
  • 76% of breaches included sensitive service and financial information such as credit card numbers – Those breaches affected 49 million individuals
  • 2% of breaches compromised sensitive health information – Those breaches affected 2.4 million individuals

Jiang believes hackers are not targeting healthcare organizations to gain access to patients’ sensitive medical information, instead healthcare organizations are attacked, and hackers take whatever data they can find in the hope that the information can be monetized. Jiang suggests hospitals and research institutions should store medical information separately from demographic information. Medical information could then be shared between healthcare providers and researchers without greatly increasing risks for patients. A separate system could be used for demographic, financial and billing information, which is needed by hospital administration staff.

The researchers advocate greater focus on the types of information exposed or compromised in healthcare data breaches to help breach victims manage risk more effectively. They suggest the Department of Health and Human Services should formally collect and publish information about the types of data that have been exposed in data breaches to help the public assess the potential for harm. The researchers plan to work closely with lawmakers and the healthcare industry to provide practical guidance and advice based on the results of their academic studies.

Data Breach Notifications Under HIPAA

The HIPAA Breach Notification Rule requires all patients affected by a reportable healthcare data breach to be notified within 60 days of discovery of the breach. Affected individuals must be told what types of information have been exposed or compromised as that information allows breach victims to make a determination about the risk they face so they can make a decision about any actions they need to take to reduce the risk of harm.

OCR explains in its online guidance on breach notification requirements of HIPAA, “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

Publicly Available HIPAA Breach Information

The HHS’ Office for Civil Rights, as required by the HITECH Act, has been publishing summaries of data breaches of 500 or more healthcare records on the HHS website since October 2009. The breach portal, which can be accessed by the public, contains basic information about the breaches.

The breach portal details the name of the breached entity, state, type of covered entity, individuals affected, breach submission date, type of breach, location of breached information, and whether there was business associate involvement. This information can also be downloaded for breaches that are under investigation by OCR and for incidents that have been archived following the closure of the OCR investigation.

When a data breach is archived, further information is added to the breach summary in a “web description” field. The web summary is not available for breaches still under investigation, but the information is included for archived breaches. The web summary is only viewable in the downloaded breach reports.

In many cases, the web description includes details of the types of information that were exposed in the breach, but not in all cases. Formalizing this requirement would ensure that all breaches detailed on the portal would have that information included. The web description field also includes information on any actions taken by OCR in response to the breach that led to the resolution and closure of the investigation.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.