Latest Ponemon Study Reveals Data Breaches Up 32 Percent Due to Sloppy Mistakes and Unsecured Mobile Devices

TRAVERSE CITY, Mich. and PORTLAND, Ore. - December 1, 2011 - The second annual benchmark study by Ponemon Institute, sponsored by ID Experts®, finds that the frequency of data breaches in healthcare organizations surveyed has increased by 32 percent, with hospitals and healthcare providers averaging four data breaches. Employee negligence is the primary culprit. According to 41 percent of healthcare organizations surveyed, data breaches involving protected health information (PHI) are caused by sloppy employee mistakes. To compound the problem, half of respondents do nothing to protect mobile devices that are in use in 80 percent of healthcare organizations. Based on the experience of the healthcare organizations surveyed, data breaches could be costing the U.S. healthcare industry an estimated $4.2 billion to $8.1 billion annually-an average of $6.5 billion-enough to hire more than 81,000 registered nurses nationwide or fund 216 million flu vaccinations. For a free copy of the 2011 Benchmark Study on Patient Privacy and Data Security, visit

Key Findings of the Research

Data breaches at hospitals and healthcare providers are rising, due to employee mistakes.

Data breaches represent a 32 percent increase, with compromised patient records in benchmarked organizations increasing an average of 46 percent. According to the research, 55 percent of healthcare organizations say they have little or no confidence they are able to detect all privacy incidents. In fact, 61 percent of organizations are not confident they know where their patient data is physically located. Third-party mistakes, including business associates (BAs), account for 46 percent of data breaches reported in the study. According to 49 percent of respondents, lost or stolen computing or data devices are the reason for healthcare data breach incidents.

Widespread use of unsecured mobile devices is at the core of hospital data breaches.

More than 80 percent of healthcare organizations use mobile devices that collect, store and/or transmit some form of PHI. Yet, half of all respondents do nothing to protect these devices.

Federal regulations and policies are not reducing data breaches.

Only 22 percent of organizations say their budgets are sufficient to minimize data breaches. 83 percent of hospitals have clearly written policies and procedures to notify authorities of a data breach, but 57 percent don't believe their policies are effective. The research indicates that the closer the personnel are to the data-such as billing and IT-the higher the probability of not following policies and procedures. 42 percent of respondents say administrative personnel in their organizations do not understand the importance of protecting patient data.

More healthcare providers say data breaches are leading to medical identity theft.

29 percent of respondents say their data breaches led to cases of medical identity theft. This represents a 26 percent increase compared to 2010. 90 percent of organizations say data breaches cause harm to patients, yet only 25 percent offer basic monitoring services following a breach. 35 percent of healthcare breaches are discovered by a patient complaint.

Data breaches are likely to increase, given lack of resources.

73 percent of respondents reported lacking sufficient resources to prevent or detect unauthorized patient data access, loss or theft. 53 percent of organizations cite lack of budget as their biggest weakness in preventing data breaches. The increased use of outside resources and business associates-associated with the downsizing of hospital staff-is having a direct impact on privacy and security. 69 percent of organizations say that they have little or no confidence in business associates ability to secure patient data.

"Healthcare data beaches are an epidemic," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. "These problems are a direct result of our national economy. Healthcare organizations-especially not-for-profit hospitals and small clinics-have thin margins, are trimming staff and resources and are lacking sufficient security and privacy budgets needed to adequately protect patients. I don't see this getting better anytime soon."

"Hospital employees are exposing patient data like the back of a hospital gown," said Rick Kam, president and co-founder of ID Experts. "Identity theft and medical identity theft resulting from data breach exposure are commonplace, causing patients financial harm, frustration and embarrassment. Hospitals must vaccinate against data breach risks in order to take better care of patients and their data."

Three Actions Organizations Can Take Now To Better Protect Patient Data

According to Rick Kam at ID Experts, healthcare organizations can minimize their data breach risks with three basic steps:

1. Take an inventory of PHI/PII.

An inventory provides a complete accounting of every element of personally identifiable information (PII) and PHI that an organization holds, in either paper or electronic format. It helps determine how an organization collects, uses, stores and disposes of its PHI. A PHI inventory reveals the risks for a data breach, so organizations can strategically protect PHI data and best plan for a response based on real information.

2. Develop an Incident Response Plan (IRP).

An IRP is an effective, cost-efficient means for helping organizations meet HIPAA and HITECH requirements and develop guidelines related to data breach incidents. The IRP designates roles and provides guidelines for the response team's responsibilities and actions.

3. Review contracts and agreements with business associates.

Business associates are a growing cause of data breaches. These contracts between healthcare organizations and business associates authorize and define business associates' use of the PHI they share with healthcare providers. Keeping these contracts up-to-date demonstrates compliance to regulators and helps maintain consistency in how PHI is managed in a healthcare ecosystem

Free Webinar to Discuss Research Findings and Outline How Organizations Can Take Action

A free webinar with Dr. Larry Ponemon and Rick Kam will be held Thursday, December 8, 2011 at 1:00 p.m. ET. To register, visit

About the Study

The 2011 Benchmark Study on Patient Privacy and Data Security utilized in-depth, field-based research involving interviews with senior-level personnel at healthcare providers to collect information on the actual data loss and data theft experiences at their organizations. This benchmark research, in contrast to a traditional survey-based approach, enables researchers to collect both the qualitative and quantitative data necessary to understand the current status of patient privacy and data security in the healthcare organizations that participated in the study.

About Ponemon Institute

Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About ID Experts

ID Experts is the leader in comprehensive data breach solutions that deliver the most positive outcomes. The company has managed hundreds of data breach incidents, protecting millions of affected individuals, for leading healthcare organizations, corporations, financial institutions, universities and government agencies. In healthcare, the company contributes to relevant legislation and rules including HITECH and is a corporate member of HIMSS. ID Experts is active with organizations that advocate for privacy for Americans including ANSI/Identity Theft Prevention, Identity Management Standards Panel and the International Association of Privacy Professionals. For more information, visit; join in the All Things HITECH discussion via LinkedIn at; and follow ID Experts on Twitter @IDExperts.

# # #

Media Contacts:

Kelly Stremel or Lisa MacKenzie

MacKenzie Marketing Group


[email protected]

[email protected]

Note to Media:

For a copy of the 2011 Benchmark Study on Patient Privacy and Data Security, an infographic or to schedule an interview with Rick Kam or Larry Ponemon, please contact [email protected] or [email protected]