Patient information data breaches cost health care organizations nearly $6 billion on an annual basis but 70 percent of entities say protecting patient data is not a top priority, according to a Ponemon Institute benchmark study released Tuesday.

The study used in-depth field research at 65 health care organizations, and was conducted by Traverse City, Mich.- based Ponemon Institute, a privacy and information management research firm, and Portland, Ore.- based ID Experts, a data breach solutions company.

Researchers interviewed 211 senior-level staff in sectors such as security, administration, privacy, compliance and finance.

According to the study, 60 percent of the organizations had more than two data breaches in the past two years, with an average 1,769 lost or stolen records per breach. The top three reasons for data breaches are "unintentional employee action, lost or stolen computing devices and third-party snafu," according to the report.

"We talk with health care compliance people dealing with data breach risks every day and they just can't get their arms around the problem of data exposure," said Rick Kam, president and co-founder of ID Experts, in prepared remarks. "Unfortunately, in health care organizations, patient revenue trumps risk management."

Out of the organizations that experienced data breaches, 38 percent did not notify any patients of the incident. Almost half of the breaches - 41 percent - were discovered as a result of patient complaints.

Among the respondents, 71 percent reported a lack of adequate resources, 52 percent a lack of appropriately trained personnel and 69 percent a lack of appropriate procedures and policies necessary to prevent and swiftly detect patient data breaches.

The majority of the respondents said data breaches impacted their organizations negatively - 81 percent believe they "suffered brand or reputation diminishment," 80 percent reported a time and productivity loss and 77 percent reported "loss of patient goodwill," according to the study.

The majority of the respondents do not believe that the passage of the HITECH Act, legislation meant to enhance security measures and protections for patient data, "have significantly changed the management practices of patient records," according to the study.

"Our research shows that the health care industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other health care services companies millions in annual breach-related costs," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in prepared remarks.

Passed in 2009, the HITECH Act aims to strengthen safeguards of protected health information by health care organizations. Under the law, "negligent compliance practices can result in fines up to $1.5 million per incident," and legal action, according to the report.

"At this point one would hope to see that health care organizations have improved information security practices and come into compliance with HITECH, now that it's been more than one year since it was enacted. Instead we found enormous vulnerabilities. The protection of patient data should be at the forefront of their efforts," said Ponemon.

More than half of the respondents have either fully implemented or are in the process of implementing electronic health records. Of those who have EHRs, 74 percent report improvements in patient data security.

The researchers acknowledged that the sample size for the study is small, cautioning that "great care should be exercised before attempting to generalize these findings to the population of all health care providers."

More Industry Headlines