Nextgov

Health-care providers lose an average of $2.24 million every time private patient information is compromised by security breaches, costing doctors and hospitals nationwide an estimated $6.5 billion annually, a new study estimates.

The per-breach cost, which rose 10 percent this year, includes an average of $250,000 in legal fees, according to the Ponemon Institute's "Second Annual Benchmark Study on Patient Privacy and Data Security."

The frequency of data breaches among the 72 health-care organizations interviewed for the study increased by one-third this year compared with last year. Nearly all of the providers surveyed, 96 percent, reported at least one data breach in the last two years; the average number was four. The typical breach compromised 2,575 patient records, up from 1,769 last year.

"I don't see this getting better any time soon," says Larry Ponemon, founder of the Traverse City, Mich.-based Ponemon Institute, which researches information and privacy-management issues. Cash-starved providers are trimming IT security and privacy budgets, he says in a news release, particularly at not-for-profit hospitals and small clinics.

The report blames "employee mistakes and sloppiness" for a majority of the breaches, along with errors by third parties, including subcontractors. Nearly three out of 10 breaches led to identity theft, the respondents said, up 26 percent from 2010.

The explosion in the use of unsecured mobile devices is a major threat to data security, the report concludes. Half of the providers that reported using mobile computing devices said they had done nothing to protect the security of the data on them.

The Ponemon Institute survey was sponsored by ID Experts, a Portland, Ore.-based IT security services provider. The report can be downloaded at the ID Experts website (registration required.)