As digital healthcare grows ever more advanced, the prevalence of data breaches, has led many people to simply dismiss them; what originally triggered an instantaneous call to action has now become a source of data breach fatigue and apathy for many patients. With each subsequent notification of compromised information, patient response is slowly becoming less urgent, and in some instances totally absent. 

Data breach fatigue is the result of repeated notifications of security incidents being received over time, resulting in decreasing sensitivity to further incidents. Instead of responding appropriately and carefully to security breaches, many people may choose to ignore alerts, delay taking protective steps, or assume a security breach is simply a fact of life. This change in behaviour poses a very serious risk, especially in the health care industry where the level of sensitivity of data is so much higher than in most other industries.

The growing trend toward data breach fatigue is highlighted in the CareCloud security breach, a cybersecurity event that not only impacted access to its EHR systems, but also raised significant concern about the potential disclosure of Protected Health Information (PHI). While an organization may be able to take immediate actions to respond to and contain a security breach, the success of those actions may be directly dependent on the actions taken by the individuals who receive notices of the security breaches.

Information overload is one of the major contributors to data breach fatigue. These days, patients have lots of digital accounts to manage, such as banking, social media, and healthcare portals. So when they receive a breach notification as one more email in a crowded inbox, it may be missed or considered routine. By consistently seeing breach notifications over time, the severity of each incident decreases.

Another element is the lack of visible consequences right away. With financial fraud, you know when something has been fraudulently done because you experience it almost immediately when an unapproved transaction occurs. However, if your medical information is misused, it may take months or years for the misuse to be discovered. This time delay creates a false sense of security and makes people think there's no point in taking any steps.

The actions people need to take after receiving a breach notification are complex in nature. The notification will suggest individuals to monitor their credit report, place a fraud alert, or review their medical records, and for many people, these activities seem cumbersome or time-consuming, especially if they have experienced similar processes multiple times.

The current trend of non-responsiveness among patients following breaches of electronic health records (EHR) is alarming in a growing world where digital healthcare can contain extremely sensitive data that is centrally stored in EHR systems, which places them under serious threat from various types of attack. After a breach, if an individual does not take action from the beginning, it significantly increases the chances for continued improper usage of that individual’s sensitive information over time.

Shifting communication and awareness regarding data breaches to address data breach fatigue requires providing individuals with clear, concise, and actionable information; helping simplify the process for taking action; and raising awareness about real-world risks associated with not taking action.

Similarly, while each data breach is different, it may appear to patients that data breaches are all the same. Consistent, small actions—such as checking account activity, or reviewing/update security settings—can all greatly minimize any negative outcome of a data breach.

As we see continued expansion of digital health care, we need to keep the human element of cybersecurity in our thoughts. The CareCloud data breach that occurred recently demonstrates that there are not only technical vulnerabilities associated with EHRs, but also behavioral aspects associated with them. To ensure that individuals continue to be active participants in protecting their own sensitive information, it is vital that we continue to overcome data breach fatigue.