Data Breaches Cost US Hospitals $6 Billion Annually

A recently-released report revealed that many health care organizations in the United States experience undetected data breaches, which cost up to $1 million per organization per year, or about $6 billion annually. The failure of organizations to prevent or detect patient data breaches may result in medical identity theft, financial identity theft and unintentional disclosure of medical facts.

In Brief

The report, entitled the Benchmark Study on Patient Privacy and Data Security, was published by the Ponemon Institute and ID Experts in November 2010. The study was based on findings from 65 health care organizations (mainly hospitals) and included an examination of each organization’s privacy and data protection compliance activities; policies; program management activities; security technologies; security governance practices; and compliance with the mandates of the HITECH Act of 2009.

The major findings of the report are briefly outlined below:

  • Data breaches cost the US health care system billions of dollars each year. The study revealed that the economic impact of data breach incidents amounted to over $2 million, over a two-year period.
  • The majority of health care organizations have undetected patient data breaches. Organizations participating in the study reported they had inadequate resources (71%); few appropriately trained personnel (52%); and insufficient policies and procedures in place (69%) that could quickly and effectively prevent/detect patient data loss. It was shown that data breaches went undetected due to the lack of preparation and staffing.
  • Patient data protection is not a priority in health care organizations. 70% of hospitals participating in the study responded that protecting patient data was not one of their top priorities. 67% of the organizations hired less than two staff members dedicated to data protection management. At many organizations, the patients were the first to detect a disturbingly high number of breaches (41%). This means that sensitive data was being unknowingly exposed until the individuals detected the breach.
  • Despite recently-enacted federal regulations, the security of patient records has not improved. Acts supporting the privacy security of medical information, such as the HITECH Act of 2009 and the HIPAA of 1996 have not resulted in stronger safeguards for patient data. According to the study, 71% of respondents did not believe that these federal regulations have sufficiently improved the management of patient records.

What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was enacted as part of the American Recovery and Reinvestment Act of 2009. It was designed to address privacy and security concerns regarding the electronic transmission of health information. With the HITECH Act, starting in 2011, a physician is eligible to receive up to $44,000 in incentives for “meaningful use” of an electronic health record (EHR).

The HITECH Act also extended the Privacy and Security Provisions of the HIPAA to business associates of covered entities, which include criminal and civil penalties. The Act imposes new breach notification requirements on the following entities:

  • Covered entities
  • Business associates
  • Vendors of personal health records
  • Related entities

Finally, the HITECH Act implements rules regarding disclosures of a patient’s health information. Disclosures include information that is used for treatment, payment and health care operations when the health care provider is using an EHR.

Moving to EHR

The majority of respondents in the Ponemon study believed that making the switch to electronic health records (EHR) would make patient data more secure. EHRs are longitudinal electronic records of patients’ health information. They are both generated and maintained within a health care institution, such as a hospital, integrated delivery network, clinic or physician’s office.

Such records would include:

  • Progress notes
  • Patient’s demographics
  • Past medical history
  • Immunizations
  • Health Problems
  • Medications
  • Vital signs
  • Laboratory data
  • Radiology reports

Proponents argue that implementation of EHR processes and systems will help to provide additional functionality (e.g. interactive alerts, interactive flow sheets, tailored order sets), which may not be possible with traditional, paper-based systems. Other major benefits of EHRs include:

  • Reduction in medical error
  • Improved accuracy/clarity of records
  • Increased availability of health information
  • Reduced delays in treatment times
  • Less duplication of tests
  • Better-informed patients

According to a recent study conducted by researchers at the Stanford University School of Medicine, EHRs did little to improve the quality of health care. This was based on data from almost 250,000 patient visits, between 2005 and 2007. Although the federal government’s American Reinvestment and Recovery Act of 2009 allotted $19.2 billion for health information technology, specifically for the adoption of EHRs, there has not yet been evidence of positive impact.


The article takes a look at the 2010 Benchmark Study on Patient Privacy and Data Security, conducted by the Ponemon Institute. The study revealed that data breaches were costing hospitals across the US up to $6 billion each year. Breaches of patient information are largely undetected by the organization, due to lack of priority, resources, preparation and staffing for privacy and security management. The article then examines the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), passed in 2009 to strengthen privacy and security safeguards for health information. One contentious issue is the adoption of electronic health records (EHRs). Although the federal government has created economic incentives for the implementation of EHR systems, researchers have found them ineffective at improving the quality of health care.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Regulatory Authorities – Department of Health and Human Service (HHS) (I.A.c.iv.)
  • Health Insurance Portability and Accountability Act of 1996 (I.B.a.v.2.)
  • Criminal and Civil Liability (II.B.a.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>