Health Care Data Breaches Increase by 32 Percent: Ponemon Report

Health care data breaches are rising and many mobile devices are unprotected, according to an annual report by the Ponemon Institute.

The Ponemon Institute, a research firm that advises organizations on data security and privacy, has released a new survey of the health care industry showing a 32 percent increase in data breaches.

Data security consulting firm ID Experts sponsored Ponemon's report, the second-annual "Benchmark Study on Patient Privacy and Data Security," announced on Dec. 1. ID Experts provides assessment tools and response plans to help organizations deal with data security issues.

For the study, Ponemon interviewed senior personnel at 72 health care organizations in the administration, clinical, compliance, financial, privacy and security departments.

"Health care organizations are either complacent about data responsibilities or are under-resourced," Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, told eWEEK.

Ponemon compared a data breach to a small leak in a ship. "Data breaches don't have to be large to be significant," he said. "Small leaks can become big leaks pretty easily."

Three leading causes of data breaches in health care are lost or stolen equipment, errors by third parties and employee mistakes. In fact, sloppy mistakes by employees have led to many data breach increases, according to 41 percent of respondents.

Data breaches have cost the health care industry an average of $6.5 billion annually since 2010. With that money, the industry would have been able to hire 81,250 nurses nationwide, the Ponemon Institute reports.

Of health care organizations surveyed, 96 percent have suffered a data breach in the last two years.

In addition, although 81 percent of health care organizations store personal health data on mobile devices, 49 percent of respondents say their companies take no steps to secure the data, according to the report.

"Unfortunately, these devices are not being secured-they're being left in cabs, on airplanes," Rick Kam, president and co-founder of ID Experts, told eWEEK.

"A lot of these organizations encourage the use of mobile devices, even personally owned mobile devices, but they don't understand the risk," Ponemon said.

More software will be available soon to protect mobile devices from malware, Ponemon noted.

Meanwhile, 61 percent of health care organizations lack confidence in their knowledge of the data's location.

The Ponemon Institute conducted the study to better understand how health care providers handle privacy practices and the loss of patient information.

Three tools that health care organizations should implement to avoid data breaches are technology, compliance with laws on data exposure, and enforcing control practices and policy, Ponemon said.

Single sign-on is one tech tool health care companies can use to keep data secure, Ponemon noted.

In a positive development, health care organizations are relying more on policies and procedures rather than forming an "ad hoc" response, according to the report. In the last year, the number of organizations that have sufficient policies has increased from 41 percent to 47 percent.

A recent major data breach involved a stolen PC in October 2011 at Sutter Health, a hospital system in Northern California, leaving data for 4.24 million patients vulnerable to theft.

In another incident, involving health insurer WellPoint, an application program tracker exposed Social Security numbers, financial information and health records from Oct. 23, 2009, to March 8, 2010.

On average, health care organizations notified patients of a breach within seven weeks, according to the report. Under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, health care organizations must notify patients of a breach within 60 days.