Data breaches of patient information cost healthcare organizations in the U.S. nearly $6 billion annually, and many breaches go undetected, according to a released report from privacy and information management research firm Ponemon Institute.
Sixty-five organizations participated in the survey, which was sponsored by Portland, Ore.-based ID Experts. The research asserted that protecting patient data is a low priority for hospitals and that organizations have little confidence in their ability to secure patient records.
The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580, according to Ponemon, of Traverse City, Mich. The average organization had 2.4 data breach incidents over the past two years. Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error, the firm stated.
In addition, 58 percent of organizations reported having little or no confidence in their ability to appropriately secure patient records. Seventy-one percent of respondents have inadequate resources and 69 percent said they have insufficient policies and procedures in place to prevent and quickly detect patient data loss, the researchers found.
Seventy percent of responding hospitals stated that protecting patient data is not a top priority. Patient billing (35 percent) and medical records (26 percent) are the most susceptible to data loss or theft, the report stated, while a majority of organizations have less than two staff dedicated to data protection management (67 percent).
“HITECH has exposed the healthcare industry's lax data protection practices rather than improved the safety of patient records,” the report concluded. “The majority (71 percent) of respondents do not believe the HITECH Act regulations have significantly changed the management practices of patient records. The findings indicate that there are a significant number of data breaches that go undetected, and therefore unreported.”
The study acknowledged that because the sample size is small, "the ability to generalize findings about organizational size, organizational type and program maturity is limited. Great care should be exercised before attempting to generalize these findings to the population of all healthcare providers."