The study found that hackers gain access to personal information like email addresses and social security numbers, payment information, and medical treatments or diagnoses.
“The major story we heard from victims was how compromised, sensitive information caused financial or reputation loss,” said researcher John (Xuefeng) Jiang. “A criminal might file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach.”
What hackers are looking for
The researchers analyzed nearly 1,500 data breaches that spanned a decade and that ultimately affected 169 million people. The goal was to get a better understanding of what it is hackers are looking for when pulling off data breaches in a hospital setting.
“Without understanding what the enemy wants, we cannot win the battle,” said researcher Ge Bai. “By knowing the specific information hackers are after, we can ramp up efforts to protect patient information.”
The largest majority of information was what the researchers termed demographic information, such as age, sex, and location. Combined with financial data, that information comprised 70 percent of all data that was compromised in the analyzed breaches. In these instances, hackers obtained anything that could personally identify someone, including a driver’s license number, social security number, or birth date, as well as what credit card or bank account a patient used to pay.
Hackers also stole medical information on roughly two million patient records, which could include sensitive information like cancer treatments, STD diagnoses, or information related to mental health treatments.
The researchers encourage both large- and small-scale efforts to help ensure that consumers’ personal data stays personal, as there are resources available that can keep information secure.
Healthcare providers could be to blame
Late last year, Jiang and Bai conducted a study that revealed the majority of data breaches aren’t due to hackers, but rather because of healthcare providers.
While just 12 percent of all medical-related data breaches between 2009 and 2017 were at the hands of a hacker, 50 percent in that same timeframe came from medical personnel -- hospitals, doctors’ offices, pharmacies, or insurance companies.
“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors -- but rather by internal negligence,” said Jiang.