The impact of a data breach over a two-year period was $2 million per organization, and the lifetime value of lost data on a patient was $107,580, according to the Benchmark Study on Patient Privacy and Data Security prepared by the Ponemon Institute and ID Experts. The study surveyed executives at 65 healthcare organizations.
The average healthcare organization had 2.4 data breach incidents over the two-year period of the study. Factors causing data breaches were unintentional employee action, lost or stolen computing devices, and third-party error. Patient billing and medical record keeping were identified as the most susceptible to data loss or theft.
Despite the high price tag, 70% of healthcare organizations said that protecting patient data was a low priority; 67% of organizations said they had less than two staff members dedicated to data protection management.
A majority of healthcare organizations said they had little confidence in their ability to secure patient records. According to the study, 71% of healthcare organizations had inadequate resources to protect patient data, and 69% said that there were insufficient policies and procedures in place to prevent and detect patient data loss.
The tops risks that patients faced when data was lost or stolen included public exposure or embarrassment, financial identity theft, and medical identity theft, according to the survey.
"Our research shows that the healthcare industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs", said Larry Ponemon, chairman and founder of the Ponemon Institute.
"At this point one would hope to see that healthcare organizations have improved information security practices and come into compliance with HITECH [Health Information Technology for Economic and Clinical Health], now that it's been more than one year since it was enacted. Instead we found enormous vulnerabilities. The protection of patient data should be at the forefront of their efforts."
A full 71% of respondents did not believe the HITECH Act regulations had significantly changed the management practices of patient records. The findings also indicated that there were a significant number of data breaches that went undetected.
"We talk with healthcare compliance people dealing with data breach risks every day and they just can't get their arms around the problem of data exposure", said Rick Kam, president and co-founder of ID Experts. "Unfortunately, in healthcare organizations, patient revenue trumps risk management."