Data breaches cost healthcare entities $7 billion annually

A pair of reports published this week by the Ponemon Institute and the Health Information Trust Alliance reveal that the healthcare industry continues to play catch up in when it comes to curbing data breaches.

Ponemon's third annual study on patient privacy and data security determined that a whopping 94 percent of the 80 participating healthcare organizations experienced at least one data breach that they were aware of in the past two years; 45 percent of those organizations said they experienced more than five incidents during that time. According to the report, such breaches cost organizations a total of $6.78 billion annually.

Meanwhile, 54 percent of all participants said they had very little confidence, if any, in their ability to detect such breaches.

"It's likely that many organizations had multiple data breaches, but didn't have the wherewithal to report or know about them," Larry Ponemon, chairman and founder of Traverse City, Mich.-based privacy research organization, told FierceHealthIT.

Ponemon said that one of the more troubling aspects of the findings was that such breaches are likely happening every day, but are not a priority to leaders.

"There doesn't seem to be C-level appreciation or support for some of the activities," Ponemon said. "Sure, when there are big fines or reputation consequences to losing information, suddenly organizations have a new-found religion; but in general, we don't see that level of concern or cautiousness that exists in some other industries, like banking, for example."

The HITRUST report, which focused on breaches impacting 500 or more individuals from 2009 through the first half of 2012, found that there have been 495 breaches involving 21 million records since 2009; those breaches have cost roughly $4 billion. Nearly 80 breaches have occurred this year alone that impacted more than 500 individuals.

Still, the authors found that, overall, the total number of breaches has declined since 2009.

"The industry has improved slightly since breach reporting became mandatory in September 2009, but recent spikes make it unclear whether improvement will continue," the report's authors wrote.

Overwhelmingly, HITRUST found, the majority of breaches (70 percent) were electronic; 96 percent of breached records were in an electronic format.

The HITRUST report's authors reached a similar conclusion as Ponemon.

"Based on what we know about healthcare organizations, our intuition would lead us to believe that data is leaking from organizations or is being accessed by unauthorized individuals on a daily basis," the report's authors wrote.

Both organizations had a number of recommendations for healthcare organizations, including increasing encryption efforts and including business associates in all security-related matters.

"Organizations like Kaiser and Blue Cross Blue Shield literally have thousands of business partners that manage or share data with them," said Rick Kam, president and co-founder of ID Experts, which sponsored the Ponemon Institute report. "They need to be in the plan so when--not if--a breach occurs, they're able to respond effectively."

To learn more:
- download the Ponemon report (registration required)
- here's the accompanying announcement
- read the HITRUST report (.pdf)