Data Breaches Cost Healthcare System Billions

Sept. 8, 2011
Despite requirements in the Health Information Technology Act for Economic and Clinical Health (HITECH) Act of 2009 for healthcare providers to provide stronger safeguards for patient data, many hospitals are unprepared for the task. Moreover, data breaches cost the healthcare system an estimated $6 billion annually, according to a study released in November by the Ponemon Institute, Traverse City, Mich. The study was sponsored by ID Experts, Portland, Ore.

Despite requirements in the Health Information Technology Act for Economic and Clinical Health (HITECH) Act of 2009 for healthcare providers to provide stronger safeguards for patient data, many hospitals are unprepared for the task. Moreover, data breaches cost the healthcare system an estimated $6 billion annually, according to a study released in November by the Ponemon Institute, Traverse City, Mich. The study was sponsored by ID Experts, Portland, Ore.

The study suggests that healthcare providers have a compelling economic reason to improve the data security in their organizations during the next year. “In general, when provider organizations have a data breach, they don’t understand the cost impact,” according to Larry Ponemon, chairman and founder of the Ponemon Institute. “They don’t understand all of the indirect or intrinsic costs that are associated with these kinds of data breaches.” Many clinicians also do not understand the economic impact of breaches, he adds.

A total of 65 healthcare organizations participated in the study, and respondents who were interviewed work in all areas of the organization, including security, administration, privacy, compliance, financial and clinical.

Key findings of the study include:
• The economic impact of data breach incidents over a two-year period is approximately $2 million per organization.
• Healthcare organizations said they have inadequate resources (71 percent), few if any trained personnel (52 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect data loss. Fifty-eight percent of the respondents said they have little or no confidence in their ability to secure patient records.
• Seventy percent of hospitals said that protecting patient data is not a priority. The majority of responding organizations (67 percent) have less than two staff members dedicated to data protection management. Most at risk is patient billing records and medical records. Patients are typically first to detect a significant number of breaches at healthcare organizations (41 percent).
• A majority (71 percent) of respondents do not believe that the passage of the HITECH Act or the widened scope of privacy and security protections under HIPAA have significantly changed the management of patient records.
• The top three causes of breaches are unintentional employee action, lost or stolen computing devices and third-party snafu. Sixty-three percent of the organizations said they took between one and six months to resolve the incident.
Interestingly, 56 percent of respondents said they are either in the process of implementing an electronic health record (EHR) system. A majority of those that have an EHR system said it has made patient data more secure.

Ponemon notes that the most common breaches involve about 100 records or less. While these don’t typically garner headlines that mega-breaches of millions of health records, the smaller breaches have a significant economic cumulative impact, as well as a damaged reputation for the provider. “People care deeply if their records are stolen, especially if their health records are lost or stolen,” he says. The Ponemon Institute has estimated the average lifetime value of one lost patient to be $107,580.

He adds that regulatory compliance can go only so far in improving security in an organization. “HIPAA, which has been around for a long time, has improved the state of data record security and has enabled better privacy practices. So I believe it has worked in part,” he says. “But I also think that a lot of these organizations that could go beyond compliance, and use the resources to do it, are probably not going to make the investments. They are going to look for things to get them to just barely to the requirement. That almost diminishes your security mission, because you are focusing on the wrong things.”

 

Sponsored Recommendations

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...

Increase ROI Through AI: Unlocking Scarce Capacity & Staffing

Unlock the potential of AI to optimize capacity and staffing in healthcare. Join us on February 27th to discover how innovative AI-driven solutions can revolutionize operations...

Boosting Marketing Efficiency: A Community Healthcare Provider’s Success Story

Explore the transformative impact of data-driven insights on Baptist Health's marketing strategies. Dive into this comprehensive case study to uncover the value of leveraging ...