Protect Yourself From a Hospital Data Breach

You may never have considered whether your preferred hospital is one of the approximately 311 major teaching hospitals in the U.S., but according to a new study, the type of hospital you choose might affect your privacy.

Teaching hospitals are affiliated with medical schools, which use the facilities to help train future doctors. And the new report, published Monday in JAMA Internal Medicine, found that these hospitals—which tend to be larger and have more people handling patient records—may be more likely to experience data breaches.

Hospital data breaches are a fairly regular occurrence these days and can result in your Social Security number, health insurance ID, and other personal information being exposed and misused. For instance, your info may be used to perpetrate medical identity fraud—in which someone else obtains medical care in your name and leaves you with the bills and falsified medical records.

But data breaches affect more than just hospitals—health insurers, doctors' offices, and other types of medical facilities have all been targeted. Personal patient information was compromised more than once per day, on average, across the healthcare industry last year, according to healthcare data security firm Protenus.

Although it's wise to pay attention to studies like this, there's no need to panic. No matter what kind of hospital you go to, you can take steps to safeguard your data and your privacy.

What the Study Found and What It Means

In this study, researchers from Johns Hopkins, Michigan State, and Ball State universities evaluated the reports hospitals must make to the Department of Health and Human Services and the media whenever the personal information of 500 or more people is breached. (People whose information is divulged must also be notified.)

The researchers focused on 141 U.S. hospitals that made such reports between late 2009 and the end of 2016. The hospitals that reported data breaches to HHS (which included one of Johns Hopkins' own hospitals) were more likely to be major teaching hospitals than smaller teaching hospitals or nonteaching hospitals.

Ge Bai, Ph.D., assistant professor of accounting at Johns Hopkins Carey Business School and the study’s lead author, explained in an interview that major teaching hospitals may be more vulnerable to breaches because more people at them (who are also conducting medical research and educating new healthcare professionals) can view private patient data. The more people who can access data, the less secure it is, she notes.

This doesn't mean you should avoid major teaching hospitals, which often offer cutting-edge treatment and give patients generous amounts of attention. (Get Consumer Reports' hospital ratings here and more tips on how to choose a hospital here.)

But you should take these simple steps to help secure your personal information and reduce the risk of fraud if your information does get exposed.

How to Protect Your Personal Information

Limit the personal information you provide. Think twice before allowing the hospital to photocopy your driver's license or state ID, and if you permit this, make sure paper copies are shredded after they are scanned into a computer. If a registration form asks for your Social Security number, Eva Velasquez, president and CEO of the nonprofit Identity Theft Resource Center, recommends asking: “Do you really need this?” She says requests for SSNs are relics from the days when the number was necessary to bill you for services. Consider refusing and explain that you are concerned about security.

Social Security numbers still appear on Medicare cards, though this will change in the near future. The Centers for Medicaid and Medicare plan to send new, SSN-free cards to all Medicare recipients by April 2019.

Be cautious about revealing any health or medical information on social media. If your data is breached at a healthcare facility, Velasquez says, any online mention of your hospital, doctor, or health insurer makes it easier for criminals to fraudulently use your medical identity.

Read all correspondence from your healthcare providers, including your health insurer. Pay attention to explanation of benefits letters and medical bills to ensure that listed procedure dates and providers match services you received.

Act fast if you spot something concerning, such as medical appointments with unfamiliar doctors. First, call the facility to see whether it's a mistake. If not, file a police report and a report with the Federal Trade Commission.

Ask what steps will be taken in the event of a breach. You'll probably receive support services such as credit monitoring.

For more on how to protect your medical identity and how to proceed if you think you’ve been victimized, see our medical identity theft coverage.

More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples

Consumer Reports has no relationship with any advertisers on this website. Copyright © 2006-2017 Consumer Reports, Inc.