Impact of data breach averages $2.2 million
These are some key findings from the Second Annual Benchmark Study on Patient Privacy & Data Security released recently by The Ponemon Institute in Traverse City, MI.:
Privileged user and access governance should be a higher priority, the report suggests. Only 29% of respondents agree that the prevention of unauthorized access to patient data and loss or theft of such data is a priority in their organizations.
Diminished productivity and financial consequences for healthcare organizations can be severe when a data breach incident occurs. Respondents reported that the average economic impact of a data breach was $2.2 million, up 10% from last year. In addition, most respondents believe their organization has suffered from time and productivity loss (81%) followed by brand or reputation diminishment (78%) and loss of patient goodwill (75%). The potential result is patient churn; the average lifetime value of one lost patient (customer) is $113,400, an increase from $107,580 in last year's study.
Medical identity theft poses a greater risk to patients. Employees are the group most likely to detect the data breach, according to 51% of participants. However, more than one-third (35%) of respondents say that data breaches were discovered by patient complaints. Once a breach is discovered, 83% of hospitals say that it takes in excess of 1-2 months to notify affected patients. Twenty-nine percent of respondents say their data breaches led to cases of identity theft, a 26% increase from last year.
While 90% of healthcare organizations say that breaches cause harm to patients, most of them (65%) do not offer protection services for the affected patients. This might be due to the fact that 72% of respondents do not believe credit monitoring is effective and believe another solution for the prevention and detection of medical identity theft is needed.
The average number of lost or stolen records per breach was 2,575. This is an increase from an average of 1,769 reported in the previous year.
The percentage of organizations fully implementing or in the process of implementing an electronic health records (EHR) system has increased from 56% last year to 66% in this year's study.
Perceptions that EHR systems create more security decreased from 74% in last year's study to 67% of respondents this year.