The Prevalence Of Healthcare Data Breaches

Why Vulnerabilities In Healthcare Information Technology Put Your Privacy At Risk


By Josette Barrans

Today, it seems like healthcare data breaches have become commonplace. Almost every week we hear a news story about records being compromised on a massive scale, but most people don’t understand what this actually means. Though these data breaches are often quickly forgotten about by the general public, their implications are much more dire than one might expect. Firstly, this data is being targeted at an alarming rate. According to the HIPAA Journal, healthcare data breaches are being reported at a rate of more than one per day[1]. Strong and effective actions are clearly needed to address such a consistent issue. Secondly, these breaches are both expensive and deadly. There is often no way to prevent fraudsters from racking up medical bills under your name and this alteration of your medical information can affect your healthcare treatment and services in the future. Lastly, these thefts are extremely hard to fight, which has caused a standstill of reform efforts for many years.

Healthcare data breaches can include a multitude of private information, including medical records, social security numbers, addresses and both employment and credit card information[2]. These breaches allow criminals to use someone’s identity to access healthcare or insurance worth hundreds of thousands of dollars, resulting in a greater impact than simply stealing credit cards[3]. If your medical insurance is breached, you may have to pay out of pocket for medical procedures or medications in the future. You may even have to cover the costs incurred by these thieves, affecting a patient’s ability to access payment during an emergency. Furthermore, if a thief uses your medical identity to incur costs, these purchases and procedures will go on your permanent medical record. So, this will affect how doctors view your alleged pre-existing conditions as they will also be scrutinizing false information. This can impact your medical treatment, which could have dangerous consequences. These breaches take twice as long to spot as credit card fraud and are much more difficult to address due to the hardship of correcting medical records and the inability of police to accept certain reports out of their jurisdiction[4]. While some private companies have developed medical identity monitoring services, these are available solely to insurance companies rather than individuals.

To address this issue, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the security of healthcare information and ensure confidentiality[5]. Yet, since 2009, data breaches have led to the theft of over 189 million healthcare records, which equates to more than 59% of the population of the United States[6]. Because of HIPAA, healthcare companies are required to pay damages for data breaches, costing the industry around $6 billion each year[7]. Though healthcare organizations don’t want to be spending this money, they seem to lack the ability to prevent breaches considering that no effective changes are being made.

There are many different causes for data breaches. Negligence is a main one, as healthcare workers often can accidentally expose records to predators either through mistakes, falling for phishing scams or partnering with shady businesses. Some organizations claim they lack the resources to fight cyber attacks, as some breaches are caused by skilled hackers. One main issue with the prevention of medical information fraud is that it takes twice as long to spot and is hard to address compared to other types of breaches[8]. If your credit card data is stolen, you can simply close your account. This is obviously not the case with your medical records, as there is no way to wipe your slate clean or easily alter the information due to the fact that they are permanently attached to your identity. While credit card companies usually have measures in place to detect fraudulent activity, insurance companies do not. Therefore, criminals can take advantage of this security flaw in three ways. First, they can steal your identity and receive medical care with your money. Secondly, they can set up fake clinics to bill your provider for fabricated procedures and services. Lastly, they can order prescription drugs through your insurance, which they resell for a higher price.

A mix of technology, education, and leadership is needed to crack down on these breaches[9]. As previously mentioned, there are already policies in place to help medical information and healthcare companies follow these guidelines. In fact, Congress enacted the HITECH Act in 2009, which sought to promote the adoption and meaningful use of healthcare information technology while also reinforcing privacy and security concerns[10].  This Actincreased the potential legal liability for non-compliance with HIPAA standards and provided for more strict enforcement[11]. While the HITECH Act has improved the use of electronic health records, it is hard to tell if it has reduced healthcare breaches, which are still happening at a high rate.

The crux of the problem is the healthcare companies’ inability to defend against and properly address these data breaches. So, more protective or advanced technology would be a great asset in this battle. Education on topics such as proper technology use, scams and proactive due diligence would also be useful to provide these organizations with tools to set their security systems up for success. Considering that 58% of all healthcare data breaches are initiated by insiders, some scholars have suggested adopting a zero-trust security policy to combat data breaches[12]. Zero Trust Security is a new security model based on the four pillars of “verifying the identity of every user, validating every device, limiting access and privilege, and learning and adapting using machine learning to analyze user behavior and gain greater insights from analytics”[13]. This would greatly improve the protection of patient records, as it is based on the idea of verifying every device or access attempt to effectively defend all potential attack surfaces.

Some organizations have started to develop technology specifically designed to allow individuals to take action to prevent medical information fraud. For example, a company called ID Experts developed the Medical Identity Alert System (MIDAS) to closely monitor their medical records and transactions so they can detect potential fraud[14]. Additionally, Blue Cross Blue Shield has made identity protection services accessible for all of its members. While these are steps in the right direction, healthcare companies must also enact more preventive measures on the technological side to block breaches, as the burden of protection cannot fall solely on the customer. More awareness must be raised regarding the impact of data breaches on individuals so that pressure can be put on healthcare organizations to prevent these breaches from occurring in the future.

[1] “Healthcare Data Breach Statistics.” HIPAA Journal, HIPAA Journal, 2019,

[2] “Why Data Security Is The Biggest Concern of Health Care.” Health Informatics Online, University of Illinois at Chicago, 27 Oct. 2018,

[3] Korolov, Maria. “Health Data Breaches Could Be Expensive and Deadly.” CSO Online, CSO, 9 Feb. 2015,

[4] Korolov, Maria.

[5] “50 Things to Know about Healthcare Data Security & Privacy.” Becker's Hospital Review, Becker's Healthcare, 9 June 2015,

[6] “Healthcare Data Breach Statistics.”

[7] “50 Things..”

[8] Korolov, Maria.

[9] Eastwood, Brian. “How to Prevent Healthcare Data Breaches (and What to Do If You're a Victim).” CIO, CIO, 20 Dec. 2012,

[10] “50 Things..”

[11] “What Is the HITECH ACT?” Compliancy Group, Compliancy Group, 7 Jan. 2019,

[12] Columbus, Louis. “58% Of All Healthcare Breaches Are Initiated By Insiders.” Forbes, Forbes Magazine, 31 Aug. 2018,

[13]  Columbus, Louis.

[14] Gregg, Bob. “ID Experts: Mitigating Data Breach and Alleviating Identity Theft and Fraud.” Cyber Security, CIO REview, 2019,