Hospitals, insurance companies leak more health data than hackers

Hospitals, insurance firms, physician offices, and similar companies leak more personal health data than hackers, a new study has revealed. According to researchers with two major US universities, more than half of personal health data breaches resulted from problems with the medical providers themselves rather than an external force, such as hackers.

The findings come from researchers with Johns Hopkins and Michigan State University; the study has been published in JAMA Internal Medicine. According to the research, internal issues with providers result in more data leaks than external forces. Negligence, not hackers, is behind a substantial percentage of personal health info making its way into unauthorized hands.

A previous study published last year found almost 1,800 instances of big patient data breaches in the span of seven years. As well, 33 US hospitals were found to have suffered multiple "substantial" data breaches during that time.

This latest research sheds light on the nature of those security lapses, looking at almost 1,150 instances that took place between October 2009 and December 2017. More than 164 patients were impacted by these data breaches; even more worrisome, 53-percent of data breaches were caused by internal issues with the healthcare entity rater than external forces.

Breaking down the numbers, the team found that a full quarter of all instances were the result of an unauthorized disclosure or unauthorized access. Examples of this would include healthcare workers forwarding data to a personal device or account, taking patient info home with them, accidentally messaging it to the wrong person, a lack of encrypted sharing, and more.

Not all data breaches are the result of internal issues, of course. The study found that among the external-linked data breaches, only 12-percent were due to hackers while another 33-percent was due to "theft."

In simpler cases, a breach could result in only small personal details being leaked, such as an email address or phone number. In big cases, though, millions of patients may have their records left vulnerable. The study points toward insurance company Anthem's 2015 breach in which 37.5 million records were impacted, for example.

The increased use of encryption, stronger internal policies, and more can help avoid vulnerabilities at the healthcare level.