Totality of data compromised shows the true impact of a breach

Register now

Data breaches frequently occur in healthcare, and when these breaches become public, there’s always a tally on the number of affected patients.

In a new report published in the Annals of Internal Medicine, John Jiang of Michigan State University, and Ge Bai, from the Johns Hopkins Bloomberg School of Public Health, say follow the compromised data, not the patients. That’s because more than 70 percent of breached information is ripe for stealing to commit identity or financial fraud.

“The reporting requirements, academic research and public attention regarding consequences of protected health information breaches are primarily focused on the number of affected patients rather than the types of compromised PHI, limiting the potential to manage the risk for breach effectively,” the researchers contend.

Jiang and Bai then classified compromised PHI into three types. The first is demographic information, including names, e-mail addresses, phone numbers and other personal identifiers, as well as Social Security numbers, driver’s license numbers and dates of birth—these are sensitive information that could be exploited for identity fraud.

The second type of PHI includes service or financial information, service dates, billing amounts, payment information, payment cards and banking accounts—these types PHI also are vulnerable to being compromised.

The third type of PHI is all personal medical information, comprising medical data, substance abuse, HIV, sexually transmitted diseases, mental health and other diseases or diagnoses.

This data has substantial implications for clinical privacy as one breach could compromise several types of protected health information, Jiang and Bai explain.

“All 1461 breaches used in the research involved at least one piece of demographic information. In particular, 964 breaches (66 percent) affecting 150 million patients (89 percent), comprised sensitive demographics such as Social Security number, driver license number and dates of birth.”

“Policy makers may consider requiring entities to provide standardized documentation of the types of compromised PHI, in addition to persons affected, when reporting breaches,” Jiang and Bai conclude. “Such information will facilitate the analysis and understanding of breaches and their consequences, and the development and adoption of PHI security practices.”

For reprint and licensing requests for this article, click here.