John (Xuefeng) Jiang PhD Professor and Plante Moran Faculty Fellow Eli Broad College of Business Accounting & Information Systems Michigan State University East Lansing, MI 

When Hospital Data Systems Are Hacked, It’s Usually Financial Information That’s Leaked Interview with:

John (Xuefeng) Jiang PhD Professor and Plante Moran Faculty Fellow Eli Broad College of Business Accounting & Information Systems Michigan State University East Lansing, MI 

Dr. Jiang

John (Xuefeng) Jiang PhD
Professor and Plante Moran Faculty Fellow
Eli Broad College of Business
Accounting & Information Systems
Michigan State University
East Lansing, MI How did you get interested in this issue?

Response: This is the third project of our data breach trilogy. We first examined which healthcare providers (focusing on hospitals) more likely suffer from a data breach. We documented large hospitals, despite their resources, are more likely to experience a data breach. Some hospitals experienced multiple incidents (

The findings made us wonder what happened? Besides size, what other factors contribute to data breaches? Based on detailed event descriptions, we documented the circumstances under which each data breach occurred (

We found more than half of data breaches could be attributed to healthcare providers’ internal mistakes or negligence (e.g., forgot to encrypt laptop computers, used cc instead of bcc in emailing patients, didn’t revoke former employees’ login credentials after employment terminated) rather than external forces (e.g., hacking). We also found mobile devices (e.g. laptop computers, usb drives) are associated with most data breaches than paper records or network servers. Our results suggest if healthcare providers strengthen their internal control and limit the use of mobile device might be effective ways to reduce data breach risks. What motivated you to do this work? 

Response: When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected. That is an important dimension to measure the severity of a data breach, but it ignores the type of information compromised. The story we heard from the victims, mainly around certain sensitive information which causes them financial loss or reputation loss. A criminal might file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach. On the other hand, some leaked patient information, such as a person’s email address or a billing for annual physical check-up, wouldn’t cause direct harm. We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach. What did you do and what did you find? 

Response: We quantify the type of information compromised in healthcare data breaches. We analyzed nearly 1,500 data breach cases over the last ten years. Based on the detailed event descriptions, we class the type of information compromised into three categories: Demographic (names, email address, phone numbers, and other personal identifiers), Service or financial information (service date, billing amount, payment information), and medical or clinical information (diagnoses or treatment). We further classify Social Security numbers, driver’s license, and dates of birth as sensitive demographic information, and payment cards and banking accounts as sensitive financial information. Both types can be exploited for identity theft or financial fraud. Within medical information, we classify information related to substance abuse, HIV, sexually transmitted diseases, mental health, and cancer as sensitive medical information because of their substantial implications for privacy.

We find more than 70% of the cases that affected nearly 95% of the individuals are related to the sensitive demographic or financial information. Only a small percentage of cases are only associated with medical or clinical information breaches. Our findings potentially explain why the public worries about data breach from healthcare providers (not only for loss of privacy, but risk of identity theft or financial fraud). What are the implications of your article?  

Response: For department of health and other regulators, we suggest formally collect the type of information compromised in a data breach to help the public to assess the potential damages.

For hospital and other healthcare providers, our findings have two implications. To the extent that medical information might be the byproduct of criminals trying to steal sensitive demographic or financial information, healthcare providers could effective reduce data breach risks by focusing on securing these types of information if they have limited resources (e.g., separate systems to store and communicate sensitive demographic/financial information versus routine medical information). One big obstacle for healthcare providers to share patients’ medical information widely with other facilities is the concern of data breach. Our results indicate such concerns might be overblown. Given that medical information is the least likely breached, maybe healthcare providers should share more medical and clinical information with other healthcare providers to provide better care. What’s Next? 

Response: Both the department of health and the Congress recently proposed rules to encourage more data health sharing (cited at the beginning of our paper). This rules potentially increase data breaches risks faced by patients and healthcare providers. There is a demand for practical guidance on how to effectively mitigate data breach risk. We will summarize the academic literature on data breaches and insights from industries to offer concrete advice for practitioners regarding minimizing data breach risks. 


Types of Information Compromised in Breaches of Protected Health Information

John (Xuefeng) Jiang, PhD; Ge Bai, PhD, CPA
Published: Ann Intern Med. 2019 DOI: 10.7326/M19-1759


Last Modified: Sep 24, 2019 @ 4:07 pm

The information on is provided for educational purposes only, and is in no way intended to diagnose, cure, or treat any medical or other condition. Always seek the advice of your physician or other qualified health and ask your doctor any questions you may have regarding a medical condition. In addition to all other limitations and disclaimers in this agreement, service provider and its third party providers disclaim any liability or loss in connection with the content provided on this website.