"This (last) finding suggests that patient data is being unknowingly exposed until the patients themselves detect the breach," the study states. "Healthcare organizations' inability to prevent or detect patient data loss is putting patients at greater risk of medical identity theft, financial identity theft and having their personal health facts disclosed."
The study also finds the cost for data breaches for hospitals as a whole is $6 billion. According to respondents in the study, the economic impact of data breach incidents over a two-year period is approximately $2 million per organization.
Through his research, Dr. Larry Ponemon, data security researcher, has learned that most hospitals are more concerned with "red and black" streams of revenue.
"A lot of organizations are frustrated at the limited number of resources" protecting patient privacy, Ponemon says. "It is an issue."
Other highlights from the study include the following:
- 60% of organizations had more than two data breaches in the past two years. The average number for each participating organization was 2.4 data breach incidents
- The average number of lost or stolen records per breach was 1,769. A significant percentage of organizations either did not notify any patients (38% or notified everyone (34%) that their information was lost or stolen
- The top three causes of a data breach are: unintentional employee action, lost or stolen computing devices and third-party snafu
- 41% discovered the data breach as a result of a patient complaint
- More than half (58%) of organizations have little or no confidence that their organization has the ability to detect all patient data loss or theft
- 63% of organizations say it took them between one to six months to resolve the incident
- 56% of respondents have either fully implemented or are in the process of implementing an EHR system. The majority (74%) of those who have an EHR system say it has made patient data more secure
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.