Data Breaches Cost Health Care Industry $6 Billion Annually: Report

A report by the Ponemon Institute and ID Experts finds hospitals suffering from breaches in the rush to adopt electronic health records.

As hospitals look to cash in on government incentives for meaningful use of electronic health records starting in 2011, they're leaving themselves vulnerable to $6 billion lost a year to data breaches industrywide, according to a benchmark study by the Ponemon Institute privacy and data-management research firm.

The survey was sponsored by ID Experts, a security consulting firm and maker of RADAR (Risk Assessment, Documentation and Reporting), a cloud-based risk-management program.

For the study, Ponemon Institute interviewed 211 senior-level managers at 65 health care organizations.

"A majority of the organizations concluded that they don't have the resources, the procedures nor the confidence to detect data breaches," Doug Pollack, vice president of strategy for ID Expert, told eWEEK.

The Ponemon Institute and ID Experts decided to carry out the study to find out how the Obama administration's HITECH Act governing electronic medical records and patient privacy would affect the amount of data breaches, he explained.

Enacted in 2009, the HITECH Act requires any organization that has experienced a privacy breach to inform affected individuals, the Secretary of Health and Human Services and the media if the breach exposed information for more than 500 individuals. HHS can be notified annually for breaches affecting less than 500 people.

"At this point one would hope to see that health care organizations have
improved information security practices and come into compliance with
HITECH now that it's been more than one year since it was enacted;
instead we found enormous vulnerabilities," Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.

"Unfortunately, what we found is that it doesn't seem to have changed behavior in a very significant fashion," Pollack said. "Within these hospital systems, revenue trumps privacy. Until there are more enforcement actions, there's just not enough pain to change their investment model in terms of security and privacy."

Data breaches cost health care firms about $1 million a year, Ponemon wrote in his Nov. 9 blog post.

Reasons for data breaches include poor management of data access, lack of encryption, loss or theft of devices, and failure to shred documents, Ponemon wrote.

Costs of a data breach stem from notification of government authorities and the media as well as from litigation.

Data breaches can result in an estimated $107,580 in revenue losses from patients choosing other facilities for the rest of their lives, according to the report. "This is the first study I've seen in which they've been able to derive the cost in lost patients," Pollack said.

Of the health care facilities surveyed, 69 percent had insufficient
policies and procedures to thwart a data breach and detect the loss of
patient data. In addition, 70 percent of hospitals did not find protecting patient data a priority.

In addition, when asked what risks patients face from data breaches, 61 percent of health care managers surveyed said public exposure or embarrassment; 56 percent mentioned financial identity theft; and 45 percent cited medical identity theft.

On Oct. 29, Indiana Attorney General Greg Zoeller sued insurance company WellPoint for delaying to notify his office and 32,000 customers in the state of a data breach.

The actions by the Indiana AG were welcome, Pollack said. "I was pleased to see the Indiana attorney general's action, because it's starting to spread," he said. "It's just a matter of time before you'll see a couple of prominent health care providers hit with stiff penalties."

Another recent breach occurred when an employee for insurance company AmeriHealth Mercy lost a flash drive containing the private information of 280,000 Medicaid members.

"The good news is that the health care industry doesn't have to start from scratch, but can learn from the experience of the financial services and other consumer-facing industries," Ponemon concluded in his post. "The sooner this happens, the better for everyone who is a consumer of health care services-and that is everyone."