Lying in a hospital bed, the last thing you should to worry about is the threat of a personal data breach. Yet, recent research published in JAMA Internal Medicine (“Hospital Risk of Data Breaches”) found nearly 1,800 occurrences of large data breaches in patient information over roughly a seven-year period. That’s right: health issues, served with a side of identity theft risk.
From October 2009 through December 31, 2016, John (Xuefeng) Jiang, Broad College of Business associate professor of accounting, and his research partners from Johns Hopkins University and Ball State University closely examined data from the Department of Health and Human Services. By law, hospitals covered by the Health Insurance Portability and Accountability Act (HIPPA) must notify HHS of any breach affecting 500 or more individuals within 60 days from the discovery of the breach.
What they found was alarming:
- Healthcare providers reported 1,225 of the 1,798 recorded breaches, while business associates, health plans and healthcare clearinghouses reported the rest
- 257 breaches reported by 216 hospitals;
- 33 hospitals experienced more than one breach – many of which are large, major teaching hospitals
This research reinforces the critical trade-off patients face: healthcare systems having access to information they need, versus a hacker planning to spend your savings at Best Buy.
“Our findings underscore the critical need for increased data protection in the health care industry. While the law requires health care professionals and systems to cross-share patient data, the more people who can access data, the less secure it is,” Jiang said.