MSU study finds hospitals put personal data at risk

Apr 10, 2017

Hospital patients could be particularly vulnerable to personal information data breaches, according to recent research at Michigan State University.

The research shows that hackers exploit the healthcare systems need for their patients’ personal information.

The study, co-authored by Xuefeng “John” Jiang, MSU associate professor of accounting, found nearly 1,800 occurrences of large data breaches in hospital patient information over a seven-year period.

Data breaches were observed in health care facilities ranging from UC Davis Medical Center in California to Henry Ford Hospital in Michigan.

“Our findings underscore the critical need for increased data protection in the health care industry,” Jiang told MSU Today. “While the law requires health care professionals and systems to cross-share patient data, the more people who can access data, the less secure it is.”

Jiang and his associates examined data from the Department of Health and Human Services, or HHS, from October 2009 through December 2016.

Hospitals covered by the Health Insurance Portability and Accountability Act, or HIPAA, are required by law to notify HHS of any breach affecting 500 or more individuals within 60 days of discovering the breach.

Jiang’s team found that hospitals did not always comply this law.

Healthcare providers only reported 1,225 of the 1,798 recorded breaches, while business associates, health plans and healthcare clearinghouses reported the rest.

Also found by Jiang’s team:

·         257 breaches reported by 216 hospitals.

·         33 hospitals experienced more than just one breach–many of which were major teaching hospitals.