Healthcare records hacked, data breaches uncovered

A new study published in the journal Annals of Internal Medicine on September 24, 2019, draws attention to the serious implications of cybercrime in the area of health care records.

Image Credit: Jariryawat / Shutterstock
Image Credit: Jariryawat / Shutterstock

Researcher John (Xuefeng) Jiang shows that the health records of almost 170 million people over the country have been hacked in 1461 reported data breaches. These occurred over a period of ten years, from October 21, 2009, to July 1, 2019. In all these incidents, people lost one or more pieces of important personal data. And over 70 percent involve sensitive information that could lead to identity theft. It’s not just the number of patients involved; it’s the kind of information the criminals steal that is important.

The PHI security breaches were reported online by the Department of Health and Human Services (HHS), which must be notified every time a healthcare data breach occurs. Healthcare programs and providers must legally communicate whenever protected health information is accessed by unauthorized personnel. The HHS in turn must publicly report every case if over 500 people are involved.

Patterns of data theft

To identify the kinds of theft that are most common in the cyber healthcare domain, the researcher looked at a detailed breakdown of the data breaches published by HHS during this period. In all the reported hacks of protected health information (PHI), the hacker obtained personal data ranging from the name of the patient to the email address.

In over half of them (about 960 cases), 150 million people lost control of their driver’s license numbers, dates of birth and social security numbers. In more than 500 incidents, many millions of people found their financial information exposed to hackers. And in almost 190 cases, the criminals got access to the bank account and credit card details of almost 50 million people.

For 50 million patients, their medical records per se were exposed, giving others details of their diagnosis, treatment, and medications. This included very sensitive details such as addictions, HIV status, sexual transmitted infections (STIs), cancer, and mental illness, in 2.4 million patient records covering 22 cases of cybercrime.

What we can do

Despite the breach of private medical information, Jiang doesn’t think there’s much gain from getting access to this kind of data, which is hard to sell at a profit. Instead, personal identifiers, credit card numbers and other data that can be sold to fuel identity theft are bigger targets. Thus the balance between data access and data security must be carefully calculated; to make it easier to retrieve patient data, you shouldn’t compromise on the security barriers. And if you can’t apply sophisticated protection to everything, throw your money at the sensitive personal and financial information rather than on purely medical information. This is the most important way to make it harder and less rewarding to hack PHI.

Jiang says, “The main message for hospitals and health care providers is, if you have limited resources to safeguard information, you should put more emphasis on the sensitive kinds of information that can be sold on the dark web.” And for patients, he advises, don’t bother about how many records were broken into, but look at what was stolen.

Other experts in biostatistics concur, but say that they still wouldn’t want any private information to pass through anyone’s hands except those of the authorized personnel. Secondly, they are arguing over the best way to keep data out of reach. It could be a server; it could be on the cloud. Of course, cloud storage is handled by bigger companies, with greater potential for massive data breaches. But on the other hand, these companies can usually afford to invest in much better and more abundant tools to protect the information they store against hacking.

Journal reference:

John (Xuefeng) Jiang, PhD; Ge Bai, PhD, CPA, Types of Information Compromised in Breaches of Protected Health Information. Ann Intern Med. [Epub ahead of print 24 September 2019] doi: 10.7326/M19-1759,

Dr. Liji Thomas

Written by

Dr. Liji Thomas

Dr. Liji Thomas is an OB-GYN, who graduated from the Government Medical College, University of Calicut, Kerala, in 2001. Liji practiced as a full-time consultant in obstetrics/gynecology in a private hospital for a few years following her graduation. She has counseled hundreds of patients facing issues from pregnancy-related problems and infertility, and has been in charge of over 2,000 deliveries, striving always to achieve a normal delivery rather than operative.


Please use one of the following formats to cite this article in your essay, paper or report:

  • APA

    Thomas, Liji. (2019, September 25). Healthcare records hacked, data breaches uncovered. News-Medical. Retrieved on February 25, 2024 from

  • MLA

    Thomas, Liji. "Healthcare records hacked, data breaches uncovered". News-Medical. 25 February 2024. <>.

  • Chicago

    Thomas, Liji. "Healthcare records hacked, data breaches uncovered". News-Medical. (accessed February 25, 2024).

  • Harvard

    Thomas, Liji. 2019. Healthcare records hacked, data breaches uncovered. News-Medical, viewed 25 February 2024,


The opinions expressed here are the views of the writer and do not necessarily reflect the views and opinions of News Medical.
Post a new comment
You might also like...
'GREAT PLEA' system proposed for responsible use of generative AI in healthcare