Health IT and Electronic Health Activate your FREE membership today |  Log-in

Health IT Pulse

Mar 16 2011   1:00AM GMT

Cost of a data breach rises over last 12 months

Posted by: DonFluckinger
data breach, HIPAA, patient data security, PHI

Setting aside the somewhat nebulous costs of Health Insurance Portability and Accountability Act (HIPAA) enforcement and the negative publicity involved with data breaches, we can still say definitively that the cost of a health care data breach is rising. How much? It costs $20,663 to resolve a case of medical identity theft, according to a recent survey commissioned by Experian and conducted by security research experts at the Ponemon Institute. That’s up $503 from last year’s survey results.

Oddly, hospitals understand the importance of securing patient data, but that doesn’t necessarily equate to their taking action to do it. Why is that? It could be that patients don’t yet understand the potential for bad repercussions when their information gets stolen.

“Our study shows that the risk and the high cost of medical identity theft are not resonating with the public, revealing a serious need for greater education and awareness,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a press release announcing the report. “We also feel these results put an even greater onus on health care organizations to make the security of sensitive personal health information a priority in order to protect patient privacy.”

Other key findings of the survey:

  • Patients aren’t getting it: Half (49%) of past victims of medical identity theft took no new steps to protect themselves afterwards.
  • Fewer victims are reporting identity theft: 50% did not report the incident to law enforcement or other legal authorities. That’s up from 46% in 2010.
  • This next stat could explain the above two stats: 36% of all victims of medical identity theft said a family member was the thief. This was the most common scenario by an overwhelming margin.
  • Moreover, 51% of respondents indicated the No. 1 reason why they didn’t report the incident after discovery is that they knew the thief and did not want to report him or her.
  • Respondents aren’t watching CNN or Fox News closely: More than half (55%) are not familiar with or have no knowledge about the new health care reform policies — and how, potentially, a new national health care database could pose security risks to their data.

Finally, this last one’s on the health care providers: While 14% of medical identity thefts happened after a data breach, only 5% of victims learned about it via a breach notification from the provider. That appears to confirm a theory security experts express to editors in interviews on a fairly regular basis: Hospitals don’t have monitoring mechanisms in place to detect when a data breach occurs, and breaches are occurring unnoticed.

Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: