Healthcare Information Security

Patient Privacy News

26% of Consumers Report PHI Stolen in Healthcare Data Breach

A recent report found that one in four US consumers have had their PHI stolen during a healthcare data breach.

One-quarter of consumers report their PHI was stolen in a healthcare data breach

Source: Thinkstock

By Elizabeth Snell

- As healthcare cybersecurity threats continue to evolve, it should come as no surprise that individuals may find themselves the victim of a healthcare data breach. A recent survey shows that medical identity theft is a top result of these data security incidents, and that consumers might discover their data was stolen on their own accord.

Approximately one-quarter of 2,000 US consumers – 26 percent – have had their personal medical information stolen in a healthcare data breach, according to an Accenture survey. Furthermore, 50 percent of those affected stated that they experienced medical identity theft, averaging approximately $2,500 in out-of-pocket costs per incident.

“Health systems need to recognize that many patients will suffer personal financial loss from cyberattacks of their medical information,” Managing Director of Cybersecurity in Accenture’s Health Practice Reza Chapman said in a statement. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.”

Fifty percent of respondents who experienced a data breach said that they found out about the incident themselves, by noticing an error on a credit card statement or their benefits explanation.

One-third reported that the organization where the data breach occurred notified them of the incident, while 15 percent said they were alerted by a government agency.

In response to experiencing a PHI data breach, 91 percent of respondents said that they took some type of action. Twenty-five percent reported that they changed healthcare providers, with 21 percent saying that they changed insurance plans. Nineteen percent of those surveyed said they sought legal counsel.

Additionally, 29 percent admitted that they changed their login credentials as a reaction to a data breach. Just under one-quarter – 24 percent – said that they subscribed to identity protection services, while 20 percent reported that they added security software to their computer. However, only 12 percent of healthcare data breach victims said they reported the breach to the organization that held their data.

“Now is the time to strengthen cybersecurity capabilities, improve defenses, build resilience and better manage breaches so that consumers have confidence that their data is in trusted hands,” Chapman said. “When a breach occurs, healthcare organizations should be able to ask ‘How is our plan working’ instead of ‘What’s our plan?”

Even with a healthcare data breach occurring, the majority of consumers – 88 percent – said they trust their physicians or other healthcare providers to keep their ePHI secure. Specifically, 36 percent admitted that they have a “great deal” of trust in the organizations.

The survey also found that the trust levels are fairly consistent, regardless of the type of entity holding patient PHI. Eighty-five percent said they trust their pharmacy, 84 percent trust their hospitals, and 82 percent trust their health insurance company.

In contrast, 57 percent of respondents said they trust health technology companies, while 56 percent reported they trust the government to keep their healthcare data secure.

Healthcare cybersecurity attacks have drastically increased recently, further demonstrating why covered entities and business associates must remain vigilant in keeping PHI secure.

Redspin found in a recent survey that healthcare cybersecurity attacks – security incidents stemming from hackers – increased 320 percent from 2015 to 2016.

Eighty-one percent of healthcare data breaches last year were from hacking attacks, the report found, with a total of 325 large-scale PHI data breaches.

Overall, 96 healthcare providers reported PHI breaches of greater than 500 records due to hacking/IT incidents, which is an increase of 320 percent over 2015.

“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” CynergisTek Vice President Dan Berger said in a statement. “The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records compromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks