Study reveals types of PHI compromised in data breaches
More than 70% of heath data breaches in the past decade involved sensitive demographic or financial information, leaving 159 million people vulnerable to identity theft and fraud, according to a new study published in the Annals of Internal Medicine.
Researchers at Michigan State University and Johns Hopkins University examined 1,461 breaches reported to HHS over a 10-year period to find out what kinds of PHI were most commonly exposed.
The study found that every breach exposed at least one type of PHI, which researchers divided into three categories: demographic information, service or financial information, and medical or clinical information. The researchers then created three subcategories for sensitive data, which can be exploited for fraud or to invade patient privacy, the researchers said.
Nearly two-thirds of the breaches involved sensitive demographic information, defined as Social Security numbers, driver’s license numbers, or dates of birth. About 13% of the breaches involved sensitive financial information such as payment cards or bank accounts. Only 2% of the breaches involved sensitive medical information such as substance abuse, HIV, sexually transmitted diseases, mental health, or cancer.
The researchers suggested that the current policy of reporting breaches of 500 or more individuals may not be enough. “Policymakers may consider requiring entities to provide standardized documentation of the types of compromised PHI, in addition to persons affected, when reporting breaches,” they wrote. “Such information will facilitate the analysis and understanding of breaches and their consequences and the development and adoption of PHI security practices.”