169 million people have had their health records compromised in data breaches

A study of 1461 health care breaches between 2009 and 2019 found millions of patients' personal info exposed

Published September 23, 2019 5:00PM (EDT)

Caduceus made out of binary code (Salon)
Caduceus made out of binary code (Salon)

Cyber criminals compromised the health records of more than 169 million people across the country over the past decade, according to study published Monday in the medical journal Annals of Internal Medicine.

The study, which analyzed 1461 health care breaches reported to the federal government between Oct. 21, 2009 and July 1, 2019, concluded that all incidents over that time period revealed at least one crucial piece of personal information, including patient names, e-mail addresses and phone numbers. In 964 cases, hackers managed to access social security numbers, driver's license numbers and dates of birth of approximately 150 million people.

More than 500 health care data breaches exposed the financial information of millions of patients. In 186 cases, credit cards and banking accounts of 49 million patients were compromised.

Additionally, the medical records of nearly 50 million patients were exposed as a result of 944 data breaches. Those records included information about a patient's diagnosis, lab results, treatment and prescriptions.

Medical information considered more sensitive — such as those related to substance abuse, HIV, sexually transmitted diseases, mental health or cancer — were disclosed as well. The sensitive medical information of 2.4 million patients was compromised in 22 cases, according to the study.

The study, published in the Annals of Internal Medicine, was written up by a pair of researchers who analyzed more than a thousand health care data breaches published online by the Department of Health and Human Services (HHS). Health plans and health care providers are required by law to notify HHS after a health care breach, and the agency is required to publicly report all unauthorized access of protected health information involving more than 500 people.

By Shira Tarlo

MORE FROM Shira Tarlo