It’s bad enough that hospital data breaches are so common. What’s worse is that the bulk of those breaches apparently disclose sensitive data which could help the thieves steal from the breach’s victims.
According to a new study appearing in the Annals of Internal Medicine, more than 70% off all hospital breaches expose patient demographic or financial information which could potentially be used to commit identity theft or other forms of fraud. The researchers drew this conclusion from an analysis of approximately 1,500 protected health information breaches taking place over the past ten years.
Specifically, they found that each breach studied exposed at least one piece of demographic information such as names or email addresses. Meanwhile, 2 percent of breaches included sensitive medical information, which they determined to have threatened the medical privacy of 2.4 million patients.
Having identified this problem, the study’s authors propose a potential solution. They suggest that policymakers demand that healthcare organizations use standardized documentation on what data was compromised after a breach along with the number of patients affected.
This suggestion deserves further investigation. With the number of health data breaches continuing to grow — one recent study found that the number of events grew substantially between 2010 and 2017 — it’s becoming steadily more important to understand their impact.
Of course, the HHS Office for Civil Rights does collect some data on breaches already. As most readers will know, if a breach affects 500 or more individuals, covered entities must notify OCR within 60 days, as well as notifying affected individuals themselves. (The rules are looser regarding breaches affecting less than 500 individuals, but covered entities must still report that the breach took place.) HHS publishes those on what is unofficially called the HHS Wall of Shame (Officially, the HHS Breach Portal).
These reporting requirements aren’t worthless. It’s certainly good to know, at least on a broad level, that an organization experienced a data breach and get a sense of how much many people the data exposure might have affected.
However, it would probably be smart to step up reporting requirements to give HHS and other policymakers more insight into how a breach actually played out.
In particular, it would make sense for the OCR to create a template healthcare organizations and business associates had to use to categorize the data which was breached. If these organizations submitted detailed information about the nature of the breached data in a standardized fashion, it would be far easier to compare events directly.
After aggregating and analyzing this finer-grained data on healthcare breaches, the OCR and other regulators would be better equipped to make policy recommendations regarding health data privacy and security. It would also be easier to quantify the impact of such breaches, in terms of both financial and social costs – and that’s something we could really use.