Nearly three fourths (71%) of health data breaches that have occured during the past 10 years exposed protected health information (PHI), including sensitive demographic or financial information, new data show.
Those exposures put 159 million patients at risk for identity or financial fraud, according to an article published online today in the Annals of Internal Medicine.
John (Xuefeng) Jiang, PhD, who is with the Eli Broad College of Business at Michigan State University in East Lansing, and Ge Bai, PhD, CPA, who is with the Johns Hopkins Carey Business School and the Bloomberg School of Public Health in Baltimore, Maryland, analyzed the 1461 PHI breaches that occurred between October 2009 and July 2019.
Two percent of the breaches exposed sensitive medical information, such as substance abuse, HIV status, or mental health status. Those breaches affected 2.4 million patients, the investigators found.
"Notably, 16% of the breaches affecting 6 million patients compromised medical information only, without compromising sensitive demographic or financial information," the authors write.
Until now, damage reports regarding health entities that have been hacked have centered on how many people were affected, but this analysis sheds light on what cyberthieves want.
"Without understanding what the enemy wants, we cannot win the battle," Bai said in a press release. "By knowing the specific information hackers are after, we can ramp up efforts to protect patient information."
Three Categories of Exposures
The authors designated three categories of information that could be exposed, but noted that a single breach could expose several kinds of information:
Demographic information (patient name, email address, telephone number, etc), as well as a subcategory of information that is of importance with respect to identity fraud (social security numbers, driver's license numbers, and dates of birth);
Financial data (service dates, billing amounts, payment information), including sensitive information (credit card and bank account numbers); and
Medical information (diagnosis and treatment information), including sensitive data (information regarding substance abuse, HIV status, mental health, sexually transmitted diseases, etc).
Jiang and Bai found that 964 breaches (66%), which affected 150 million patients, compromised Social Security numbers, driver's license numbers, and dates of birth.
Just more than a third of the breaches (n = 513; 35%) exposed service or financial information. Among the financial breaches, 186 compromised credit cards or bank accounts and affected 49 million patients.
The authors acknowledge that healthcare entities may not know about or report some data breaches, so the list of breaches may be incomplete. The research also relied on US Department of Health and Human Services (HHS) data, which do not include breaches that affect fewer than 500 people. If 500 or more are persons are affected, health plans, healthcare clearinghouses, and healthcare providers are legally required to report the breach to HHS.
As federal proposals for data sharing and interoperability grow, the authors say, new policies that require entities to report not only the number of people affected but also the kinds of information exposed could help develop better strategies for protection.
In a study published last year, Jiang and Bai found that more than half of health data breaches were caused by internal mistakes or neglect.
PS:4th China Pharma IP
Summit 2019 (CPIPS2019) organized by Shanghai YIP Events, Supported by Pharma
IP Right Research Committee of Chinese Pharmaceutical Association, which will
be held on 23rd-25th , Oct at Primus Hotel Shanghai Hongqiao China this year.
which presents an unrivalled gathering of in-house patent counsel from
established and fledgling pharmaceutical and biotechnology companies coming
together to listen to updates on patent prosecution and enforceability from
global jurisdictions,
The conference provides delegates with an
invaluable opportunity to gain insight into the sector issues of critical
current importance; listen to best-in-class case studies; keep abreast of the
likely forward impact of key judgements and political jolts; and network with
global patent peers.
As a dedicated event to pharmaceutical intellectual
property, In the past three years we gathered more than 1000 attendees from
relevant government departments, industry associations, global and china local
pharma/biotech companies, law firms, IP agencies, IP solution providers and so
on. Our topics covered the IP protection in all over the world, include mainly
China, Europe, US, Japan, South Korea, India and Emerging Markets. We hope
CPIPS could be a good networking and sharing platform for Industry peers, For
more information please refer to below and attached agenda or visit conference
website: www.pharmaip.cn
