More than 70% of hospital data breaches that occurred over the past 10 years comprised sensitive demographic and financial information that could be used for identity or financial fraud, according to a letter published in the Annals of Internal Medicine.
The two researchers analyzed all US health care breaches that occurred between October 21, 2009, and July 1, 2019 (breach n=1461; patient n=169 million), and divided the protected health information (PHI) into 3 types: demographic information, service or financial information, and medical or clinic information.
Sensitive demographic information was defined as patient names, email addresses, phone numbers, Social Security numbers, birth dates, and driver’s license numbers. Financial information included date of service, billing amounts, and payment information. Medical information included diagnoses and treatment information, including substance abuse, HIV, sexually transmitted diseases, mental health, and cancer, the authors said.
All 1461 breaches involved at least 1 piece of demographic information; a total of 964 breaches (66%), affecting 150 million patients, comprised Social Security numbers, driver’s license information, and dates of birth. A total of 513 breaches (35%) comprised service or financial information. Among these, 186 breaches (13%), affecting 49 million patients, included credit card and bank account information. A total of 944 breaches (65%) included medical and clinical information from 48 million patients — of these, 22 cases (2%) involved sensitive medical information.
In total, 71% of the breaches comprised both financial and demographic information from 159 million patients, and 16% involved medical information from 6 million patients.
“Policymakers may consider requiring entities to provide standardized documentation of the types of compromised PHI, in addition to persons affected, when reporting breaches,” the authors concluded. “Such information will facilitate the analysis and understanding of breaches and their consequences and the development and adoption of PHI security practices.”
Jiang JX, Bai G. Types of information comprised in breaches of protected health information [published online September 24, 2019]. Ann Intern Med. doi:10.7326/M19-1759