HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Quarter of Americans Have Been Impacted by a Healthcare Data Breach

Given the volume of healthcare records that have been exposed or stolen over the past two years, it comes as little surprise that 26% of Americans believe their health data have been stolen. The figures come from a recent survey conducted by Accenture.

The survey was conducted on 2,000 U.S. adults and more than a quarter said that their medical information has been stolen as a result of a healthcare data breach.

Healthcare information is attractive for cybercriminals as the information in health records does not expire. Credit card numbers can only be used for an extremely limited time before cards are blocked. However, Social Security numbers can be used for a lifetime and health insurance information can similarly be used for extended periods. The information can also be used for a multitude of nefarious activities such as tax fraud, identity and medical identity theft and insurance fraud.

It is also unsurprising that many victims of healthcare data breaches have reported suffering losses as a result of the theft of their data. According to Accenture, half of the individuals who said their data have been stolen said they have experienced medical identity theft as a result. The survey revealed that when medical identity theft occurs, out of pocket expenses of $2,500 are incurred on average.

Please see the HIPAA Journal Privacy Policy

The report shows half of the individuals who said their data have been stolen did not find out from a breach notification letter. They discovered they were a victim of a healthcare data breach after seeing charges on bank/credit card statements and suspicious entries on their Explanation of Benefits statements. Only a third of respondents said they were notified of the breach by the breached entity.

Even with record numbers of healthcare data breaches occurring, Americans still have faith in providers’ abilities to keep electronic protected health information secure. 88% of respondents said they trusted their providers to secure their ePHI. 85% said they trusted pharmacies, 84% trusted hospitals and 82% trusted health insurance companies. Healthcare technologies fared much worse (57%), as did government organizations (56%).

Businesses that experience data breaches know all too well that there is considerable fallout after a breach announcement is made. Many customers simply take their business elsewhere. That was clearly evident after the Target breach.

However, changing healthcare provider is less straightforward. That said, many breach victims said they did change healthcare provider or insurer after they were notified that their health information had been stolen. A quarter of breach victims said they had already changed healthcare provider following a data breach, while 21% said they had changed health insurance provider.

If a data breach or an attack is experienced, healthcare organizations should carefully assess what went wrong and how their cybersecurity defenses can be improved. Considering the impact healthcare data breaches have on patients and the considerable fallout following a data breach, healthcare organizations should ensure that their cybersecurity defenses are up to scratch to prevent data breaches from occurring in the first place.


Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.