Healthcare providers—not hackers—leak more of your data

November 19, 2018, Michigan State University
More than half of personal health information leaks happened because of internal issues with medical providers. Credit: PxHere - CC0

Your personal identity may fall at the mercy of sophisticated hackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.

New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, were because of internal issues with medical providers—not because of hackers or external parties.

"There's no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors—but rather by internal negligence," said John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU's Eli Broad College of Business.

The research, published in JAMA Internal Medicine, follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over a seven years, with 33 hospitals experiencing more than one substantial .

For this paper, Jiang and co-author Ge Bai, associate professor at the John's Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients.

"Every time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause," Jiang, the Plante Moran Faculty Fellow, said. "These causes fell into six categories: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or 'other.'"

After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53 percent were the result of internal factors in healthcare entities.

"One quarter of all the cases were caused by unauthorized access or disclosure—more than twice the amount that were caused by external hackers," Jiang said. "This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content."

While some of the errors seem to be common sense, Jiang said that the big mistakes can lead to even bigger accidents and that seemingly innocuous errors can compromise patients' personal data.

"Hospitals, doctors offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk," Jiang said.

Of the external breaches, theft accounted for 33 percent with hacking credited for just 12 percent.

While some data breaches might result in minor consequences, such as obtaining the phone numbers of patients, others can have much more invasive effects. For example, when Anthem, Inc. suffered a data breach in 2015, 37.5 million records were compromised. Many of the victims were not notified immediately, so weren't aware of the situation until they went to file their taxes only to discover that a third-party fraudulently filed them with the data they obtained from Anthem.

While tight software and hardware security can protect from theft and hackers, Jiang and Bai suggest adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a set of simple protocols. The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption. Procedures related to PHI communication include mandatory verification of mailing recipients, following a "copy vs. blind copy" protocol (bcc vs cc) as well as encryption of content.

"Not putting on the whole armor opened health care entities to enemy's attacks," Bai said. "The is that the armor is not hard to put on if simple protocols are followed."

Next, Jiang and Bai plan to look even more closely at the kind of data that is hacked from external sources to learn what exactly digital thieves hope to steal from patient data.

Explore further: Hospitals put your data at risk, study finds

Related Stories

Hospitals put your data at risk, study finds

April 6, 2017
Lying in a hospital bed, the last thing you should have to worry about is a personal data breach. Yet recent research co-authored by a Michigan State University business scholar found nearly 1,800 occurrences of large data ...

Study analyzes numbers, trends in health care data breaches nationwide

September 25, 2018
Health plans—entities that cover the costs of medical care—accounted for the greatest number of patient records breached over the past seven years, according to an analysis of U.S. health care data conducted by two Massachusetts ...

Small practices also at risk for data breaches

August 23, 2018
(HealthDay)—Data breaches can happen to small medical practices, but staff can take steps to prevent them, according to an article published in Medical Economics.

Hackers cause most data breaches, but accidents by normal people aren't far behind

August 10, 2018
Have you ever had your personal information leaked on the internet? Maybe it was something you purchased online from a website, only to find out that the company was hacked months later? If the answer is "yes", you probably ...

How do business partner data breaches affect your practice?

June 13, 2018
(HealthDay)—Data breaches affecting health care systems or their partners need to be addressed quickly, according to an article published in Medical Economics.

Recommended for you

Hybrid prevalence estimation: Method to improve intervention coverage estimations

December 6, 2018
LSTM's Professor Joseph Valadez is senior author on a new study published today in the Proceedings of the National Academy of Sciences, which outlines proposals for a more accurate estimator of health data.

How algorithms can create inequality in health care, and how to fix it

December 5, 2018
Machine-learning algorithms and artificial intelligence software help organizations analyze large amounts of data to improve decision-making, and these tools are increasingly used in hospitals to guide treatment decisions ...

Healthcare providers—not hackers—leak more of your data

November 19, 2018
Your personal identity may fall at the mercy of sophisticated hackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.

How AI could help veterinarians code their notes

November 19, 2018
A team led by scientists at the School of Medicine has developed an algorithm that can read the typed-out notes from veterinarians and predict specific diseases that the animal may have.

Patients' experiences with misdiagnosis inform patient safety improvement efforts

November 6, 2018
Diagnostic errors affect an estimated 12 million U.S. adult outpatients annually; however, patients' experiences of these errors are underexplored. To gain insight into the patient perspective, researchers from Baylor College ...

Funder involved in all aspects of most industry-funded clinical trials

October 3, 2018
In most industry funded trials reported in high impact medical journals, all aspects of the trial involved the industry funder, finds a study published by The BMJ today.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.