Setting aside the somewhat nebulous costs of Health Insurance Portability and Accountability Act (HIPAA) enforcement and the negative publicity involved with data breaches, we can still say definitively that the cost of a health care data breach is rising. How much? It costs $20,663 to resolve a case of medical identity theft, according to a recent survey commissioned by Experian and conducted by security research experts at the Ponemon Institute. That’s up $503 from last year’s survey results.
Oddly, hospitals understand the importance of securing patient data, but that doesn’t necessarily equate to their taking action to do it. Why is that? It could be that patients don’t yet understand the potential for bad repercussions when their information gets stolen.
“Our study shows that the risk and the high cost of medical identity theft are not resonating with the public, revealing a serious need for greater education and awareness,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a press release announcing the report. “We also feel these results put an even greater onus on health care organizations to make the security of sensitive personal health information a priority in order to protect patient privacy.”
Other key findings of the survey:
- Patients aren’t getting it: Half (49%) of past victims of medical identity theft took no new steps to protect themselves afterwards.
- Fewer victims are reporting identity theft: 50% did not report the incident to law enforcement or other legal authorities. That’s up from 46% in 2010.
- This next stat could explain the above two stats: 36% of all victims of medical identity theft said a family member was the thief. This was the most common scenario by an overwhelming margin.
- Moreover, 51% of respondents indicated the No. 1 reason why they didn’t report the incident after discovery is that they knew the thief and did not want to report him or her.
- Respondents aren’t watching CNN or Fox News closely: More than half (55%) are not familiar with or have no knowledge about the new health care reform policies — and how, potentially, a new national health care database could pose security risks to their data.
Finally, this last one’s on the health care providers: While 14% of medical identity thefts happened after a data breach, only 5% of victims learned about it via a breach notification from the provider. That appears to confirm a theory security experts express to SearchHealthIT.com editors in interviews on a fairly regular basis: Hospitals don’t have monitoring mechanisms in place to detect when a data breach occurs, and breaches are occurring unnoticed.