Escalating healthcare data breaches come with $7bn pricetag

The Ponemon Institute’s third annual Benchmark Study on Patient Privacy and Data Security found that not only are healthcare breaches up, but they’re way up. Most hospitals (94%) have experienced data breaches over the past two years. But almost half of them (45%) have seen, staggeringly, more than five data breaches at their organization this year. That’s compared to only 29% with more than five data breaches in 2010.

Mostly, Ponemon found, the data loss revolves around medical files, billing and insurance records. And more than half of the organizations surveyed reported medical identity theft. The reasons for the breaches are easily solved, as well: Equipment loss accounted for 46% of the breaches, while simple human error (sending the wrong file or email, for instance) account for 42%. IT still has a significant role to play, however: targeted attacks by criminals were responsible for a third of cases (33%), while technology glitches were also fairly common (31%).

The most sobering statistic? Half (54%) of respondents said that they don't have the confidence in their ability to detect all patient data losses.

The impact of all of that data leakage is striking and escalating as well: the average breach costs $2.4 million – up from $2.1 million last year and $400,000 in 2010's study. The report said that soon, the annual cost "could potentially be as high as $7 billion."

"It cost the US healthcare industry $6.87 billion to respond to these breaches," Rick Kam, president and co-founder of study partner ID Experts, told Healthcare IT News. "To put that into context, last year we talked about the fact that the US federal government invested $6 billion, roughly, to cancer research, to basically eradicate cancer. Well, we're spending more on data breaches to respond to them than on cancer research."

The study also found that mobility is changing the game for hospitals. Although desktop and laptop computers continue to be the main conduits for data loss, the bring-your-own-device phenomenon is proving to have an impact. Lost smartphones and tablets were at the heart of just 7% of breaches last year, but in 2012 they accounted for 18%, according to the study.

A majority (81%) of organizations permit employees to use their own mobile devices to access patient information. But, as is becoming a meme, half (46%) said that they are nonetheless "doing nothing at all to ensure BYOD is secure.” And 54% said they have no confidence or low-level confidence “that these devices are secure."

What’s Hot on Infosecurity Magazine?