Impact of data breach averages $2.2 million

These are some key findings from the Second Annual Benchmark Study on Patient Privacy & Data Security released recently by The Ponemon Institute in Traverse City, MI.:

• Privileged user and access governance should be a higher priority, the report suggests. Only 29% of respondents agree that the prevention of unauthorized access to patient data and loss or theft of such data is a priority in their organizations.

• Diminished productivity and financial consequences for healthcare organizations can be severe when a data breach incident occurs. Respondents reported that the average economic impact of a data breach was $2.2 million, up 10% from last year. In addition, most respondents believe their organization has suffered from time and productivity loss (81%) followed by brand or reputation diminishment (78%) and loss of patient goodwill (75%). The potential result is patient churn; the average lifetime value of one lost patient (customer) is $113,400, an increase from $107,580 in last year's study.

• Medical identity theft poses a greater risk to patients. Employees are the group most likely to detect the data breach, according to 51% of participants. However, more than one-third (35%) of respondents say that data breaches were discovered by patient complaints. Once a breach is discovered, 83% of hospitals say that it takes in excess of 1-2 months to notify affected patients. Twenty-nine percent of respondents say their data breaches led to cases of identity theft, a 26% increase from last year.

• While 90% of healthcare organizations say that breaches cause harm to patients, most of them (65%) do not offer protection services for the affected patients. This might be due to the fact that 72% of respondents do not believe credit monitoring is effective and believe another solution for the prevention and detection of medical identity theft is needed.

• The average number of lost or stolen records per breach was 2,575. This is an increase from an average of 1,769 reported in the previous year.

• The percentage of organizations fully implementing or in the process of implementing an electronic health records (EHR) system has increased from 56% last year to 66% in this year's study.

• Perceptions that EHR systems create more security decreased from 74% in last year's study to 67% of respondents this year.