Yearly Hospital Breach Cost: $6 BillionSmall Study Estimates Total Annual Cost for All Incidents
Sixty percent of the organizations interviewed for the study reported two or more breach incidents during the past two years. The extrapolated average was 2.4 breach incidents. These incidents involved, on average 1,769 records, although 61 percent involved just 10 to 100 records, according to the report.
The study, sponsored by ID Experts and conducted by Ponemon, a Traverse City, Mich.-based research firm, was based on interviews with executives at hospitals and integrated delivery systems as well as some clinics. Ponemon used a proprietary database of 457 organizations to solicit participants. A report on the results will be available Tuesday.
Asked to estimate the cost or total economic impact of data breaches over the past two years, 55 percent selected ranges of more than $500,000, with 23 percent estimating the costs at $1 million to $10 million and 6 percent saying more than $10 million. Ponemon came up with an extrapolated average cost of $2.06 million.
Breach NotificationAlmost 40 percent of respondents said they did not notify patients about breaches, while 34 percent notified all patients affected.
The HITECH Act interim final breach notification rule requires hospitals and other healthcare organizations to report breaches to individuals affected if a risk assessment confirms a substantial risk of financial, reputational or other harm. That harm standard has proven controversial, and regulators are pondering whether to remove it from the final version of the rule.
Under the HITECH Act, breaches affecting 500 or more individuals must be reported to federal authorities and the media within 60 days.
HITECH also sets substantially higher penalties for violating the HIPAA privacy and security rules.
"Healthcare providers are at risk of non-compliance with regulations based on the practices revealed in this study," the report concludes. "They also risk severe economic consequences."
Among the report's other findings:
- Inadequate budget and lack of trained staff for security and privacy were the two reasons cited most frequently as the areas of vulnerability leading to breaches.
- The top reasons for breaches were unintentional action by staff, lost or stolen computer devices and third-party glitches.
- 58 percent of respondents said they have little or no confidence in their organization's ability to detect all patient data loss or theft.
- 28 percent said they have no staff dedicated to managing data protection efforts, with 35 percent they had less that two staff members dedicated to the task.
- Only 18 percent have a formal process in place for conducting a post-breach risk assessment as HITECH requires, while 36 percent have an ad hoc process in place.
- 56 percent of participants either have an electronic health records system or are implementing one now. Of those that have an EHR in place, 74 percent said it has made patient data more secure.